Federal Housing Finance Agency Print

 Advisory Bulletins

 

 

Oversight of Third-Party Provider Relationships25812All9/28/2018 4:00:00 AMAB 2018-08<div class="custom-contentTypeContent"><div aria-labelledby="ctl00_PlaceHolderMain_ctl04_label" style="display&#58;inline;"><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​ADVISORY BULLETIN</strong></p><p> <strong>AB 2018-08&#58;&#160; OVERSIGHT OF THIRD-PARTY PROVIDER RELATIONSHIPS</strong></p></td></tr></tbody></table><p style="text-decoration&#58;underline;"> <strong><em><br>Purpose</em></strong></p></div></div><p>This advisory bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance to Fannie Mae<strong> </strong>and<strong> </strong>Freddie Mac, the Federal Home Loan Banks (FHLBanks), and the Office of Finance (OF) (collectively, the regulated entities<a href="#1">[1]</a>) on assessing and managing risks associated with third-party provider relationships.&#160; For the purposes of this AB, a third-party provider relationship is a business arrangement between a regulated entity and another entity that provides a product or a service.<a href="#2">[2]</a>&#160; When entering into third-party provider relationships, the regulated entities can be exposed to financial, operational, legal, compliance, and reputational risk.&#160; Effective risk management of third-party provider relationships is essential to the safe and sound operations of the regulated entities.&#160;</p><p style="text-decoration&#58;underline;"> <em><strong>Guidance</strong></em></p><p>FHFA expects each regulated entity to establish and maintain a third-party provider risk management program (program) that includes the following&#58;</p><ol style="list-style-type&#58;upper-roman;"><li>Governance</li><ol style="list-style-type&#58;upper-alpha;"><li>Responsibilities of the Board and Senior Management</li><li>Policies, Procedures, and Internal Standards</li><li>Reporting</li></ol><li>Third-Party Provider Risk Management Life Cycle Phases</li></ol><ol style="list-style-type&#58;upper-roman;"><ol style="list-style-type&#58;upper-alpha;"><li>Risk Assessment</li><li>Due Diligence in Third-Party Provider Selection</li><li>Contract Negotiation </li><li>Ongoing Monitoring</li><li>Termination</li></ol></ol><p style="text-align&#58;left;">A regulated entity's program should enable oversight of third-party provider relationships in accordance with the level of risk presented, the nature of the relationship, the scale of the outsourced product or service, and the risk inherent in the relationship.&#160; Because of this risk-based approach, aspects of this AB may not apply to every third-party provider relationship.&#160; The regulated entities should ensure that the quality and extent of third-party provider risk management corresponds with the level of risk and the complexity of these relationships.&#160; </p><p style="text-align&#58;left;">FHFA's general standards for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Part 1236 Appendix.&#160; Three relevant PMOS articulate guidelines for a regulated entity's board of directors and management to evaluate when establishing internal controls and information systems (Standard 1), overall risk management processes (Standard 8), and maintenance of adequate records (Standard 10).&#160; In addition, each regulated entity should manage its program as part of its enterprise-wide risk management program and in accordance with all relevant FHFA guidance.<a href="#3">[3]</a>&#160; </p><blockquote dir="ltr"><blockquote dir="ltr"><blockquote dir="ltr"><blockquote dir="ltr"><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><h4> &#160;I.&#160;&#160;&#160;&#160;&#160;&#160; Governance </h4><p> <em>A.&#160;&#160;&#160;&#160; Responsibilities of the Board and Senior Management</em></p></blockquote></blockquote><p style="text-align&#58;left;">The board of directors or board committee (board) should approve a policy establishing the program.&#160; The board-level policy (or management-level policies, as appropriate) should establish criteria for the acceptance and monitoring of risks related to third-party provider engagements and include enterprise-wide risk management processes that reflect the complexity of the regulated entity.&#160; Policies should assign clear roles and responsibilities to entity personnel, establish requirements for documenting decisions concerning third-party providers, and identify internal stakeholders throughout the third-party provider relationship.&#160; Internal audit, or an independent third party if specialized expertise is required, should audit the program periodically, including review of third-party assessments.</p><p>The regulated entity's board is responsible for oversight of the program, while senior management is responsible for executing the regulated entity's program and applicable policies on behalf of the board, consistent with established delegations.&#160; Each regulated entity's board should ensure that senior management has effective processes in place to manage risks related to third-party provider relationships, consistent with the regulated entity's strategic goals, organizational objectives, and risk appetite.&#160; </p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>B.&#160;&#160;&#160;&#160; Policies, Procedures, and Internal Standards</em></p></blockquote><p style="text-align&#58;left;">The regulated entities should establish and implement risk management processes in their policies that clearly define risk categories for the oversight of third-party provider relationships.&#160; Risk categories should consider the type and degree of risk inherent in the relationship, the scope and breadth of the third-party provider relationship, the nature of the product or service provided, and the ability to find an acceptable replacement for the third-party provider. &#160;In addition to categorizing these relationships, the regulated entity should document and consistently update its inventory of third-party providers.&#160; The regulated entity's program should articulate governance standards for risk-based due diligence, monitoring, and oversight that reflect the defined risk categories.&#160; The more risk a third-party provider relationship poses to the regulated entity, the more rigorously the regulated entity should perform these activities.&#160; Documentation requirements should correspond to the risk category or the nature of the third-party provider relationship.&#160; Other factors considered in establishing a risk-based approach include third-party provider relationships that could&#58; </p><ul style="list-style-type&#58;disc;"><li>Cause a regulated entity to face significant business, operational, legal, compliance, or reputational risk if the third-party provider fails to meet its obligations;</li><li>Require significant resources and costs to implement and manage the risk (such as a third-party provider that has an integral role in the regulated entity's operations or a financial technology firm that leverages emerging technologies); or</li><li>Have a major effect on the regulated entity's operations if it needs to procure an alternate third-party provider or has to perform the service in house.</li></ul><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>C.&#160;&#160;&#160;&#160; Reporting</em> </p></blockquote><p> The regulated entity should implement a reporting system that provides management sufficient information to adjust the program, including policy, resources, expertise, and controls.&#160; Management should receive periodic reports from program stakeholders about commencing new third-party provider relationships, continuing existing ones, or terminating arrangements that do not meet expectations or no longer align with the goals of the regulated entity.&#160; Regular reports to management could incorporate the documentation of phases of the third-party provider relationship, such as analysis of costs, or reputational risks found during ongoing monitoring.&#160; Reports should contain sufficient detail to adequately inform the intended audience and sufficiently support related business decisions.</p><p> To assist the board in oversight of the program, management should provide the board with regular enterprise-wide reports on the regulated entity's management of risks associated with third-party providers.&#160; Management should also notify the board of significant third-party risks, such as business interruptions and terminations for cause, or third-party provider relationships that approach the regulated entity's risk appetite limits.&#160;&#160;</p><p>&#160;</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><h4>II.&#160;&#160;&#160;&#160;&#160;&#160;&#160; Third-Party Provider Risk Management Life Cycle Phases</h4></blockquote><p style="text-align&#58;left;">An effective program should include policies and procedures that cover all phases of the regulated entity's third-party provider relationship life cycle&#58; &#160;Risk Assessment, Due Diligence in Third-Party Provider Selection, Contract Negotiation, Ongoing Monitoring, and Termination.&#160; The scope and duration of each phase should be consistent with the program's policy, and multiple phases may be addressed simultaneously.&#160; The documentation for each phase is also dependent on whether the phase applies and the extent to which it applies. &#160;The life cycle phases are discussed in more detail below.&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; <em></em></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>A.&#160;&#160;&#160;&#160; Phase 1 – Risk Assessment </em></p></blockquote><p style="text-align&#58;left;">Each regulated entity's program should include processes to assess the risks associated with engaging a third-party provider to supply a product or service.&#160; These risks may include&#58;</p><ul style="list-style-type&#58;disc;"><li>The operational, compliance, legal, and reputational risks associated with having a third-party provider supply the product or service and the risk that expected benefits do not outweigh the costs;</li><li>The breadth of the products or services that would be delivered by a third-party provider;</li><li>Whether the regulated entity has adequate resources and expertise to monitor the third-party provider relationship;</li><li>The complexity of the arrangement, volume of activity, potential for a third-party provider's use of subcontractors, and the technology required; and</li><li>Potential information security risks associated with giving a third-party provider access to the regulated entity's operating location, information systems, or proprietary or personally identifiable information.</li></ul><p style="text-align&#58;left;">If the regulated entity establishes a third-party provider relationship, the program should provide for management of the associated risks.&#160; As necessary, the risk assessment should include a strategy for the regulated entity to procure adequate resources or expertise to mitigate the risks or justify acceptance of the identified risks.&#160; The regulated entity should review and update its risk assessment and revise risk mitigation strategies when appropriate.&#160; When documenting its risk assessment analysis, the regulated entity should indicate any risk assessment tools used in the process.</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>B.&#160;&#160;&#160;&#160; Phase 2 – Due Diligence in Third-Party Provider Selection</em></p></blockquote><p style="text-align&#58;left;">Each regulated entity should conduct due diligence on a third-party provider before entering into a contract.&#160; The degree of due diligence should be commensurate with the level of risk of the outsourced activity and the complexity of the third-party provider relationship.&#160; A regulated entity should not rely solely on its prior experience or knowledge of the third-party provider as a substitute for an objective risk assessment of the third-party provider's ability to supply a product or service in a safe and sound manner.&#160; A regulated entity may refer to a third-party provider's independent audit, Service Organization Control (SOC) report, or recognized certifications to assess certain aspects of the third-party provider's internal risk management controls.&#160; Due diligence review should align with the severity of the risk.&#160; Due diligence results, findings, and recommendations should be documented.</p><p style="text-align&#58;left;">Due diligence prior to entering into a third-party provider relationship should include an evaluation of financial, operational, legal, compliance, and reputational risks of engaging the proposed third-party provider.&#160; As part of the due diligence review, the regulated entity should consider&#58; </p><ul style="list-style-type&#58;disc;"><li>Whether the proposed third-party provider can offer the product or service in compliance with applicable laws and regulations, as well as the regulated entity's internal policies, procedures, and other requirements;</li><li>The third-party provider's overall business model and how current and proposed business activities may affect the risks presented by the third-party provider; </li><li>The third-party provider's business background, experience, and reputation; </li><li>The financial performance, resources, and condition of the proposed third-party provider;</li><li>The third-party provider's insurance coverage;</li><li>The third-party provider's operational and internal controls, including information security, incident reporting and management, and business continuity programs; </li><li>Concentration risks that may arise from relying on a third-party provider for multiple products or services or from a third-party provider's reliance on subcontractors; </li><li>The extent to which the third-party provider relies on subcontractors to perform its obligations, the controls the subcontractor has in place, and the third-party provider's processes to oversee subcontractors that would be directly involved in the outsourced product or service; </li></ul><ul style="list-style-type&#58;disc;"><li>Any potential conflicts of interest with the directors, officers, or employees of the regulated entity concerning potential third-party providers;<a href="#4">[4]</a> and</li><li>Whether there are third-party fee structures that involve potential risks, such as incentives for inappropriate risk-taking, that could arise as a result of such fee structures.&#160; </li></ul><p style="text-align&#58;left;">Each regulated entity's third-party provider selection process should also be designed to ensure, to the extent possible and consistent with safety and soundness, the inclusion of&#160;minority-, women-, and disabled-owned businesses.<a href="#5">[5]</a></p><p style="text-align&#58;left;">Management should review the due diligence results to determine whether the third-party provider is able to adequately provide the product or service at a level of risk acceptable to the regulated entity.&#160; If the third-party provider cannot meet the regulated entity's requirements, management should consider whether to seek an alternate provider, supply the product or service itself, or mitigate the identified risks to the extent practicable. </p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>C.&#160;&#160;&#160;&#160;&#160;&#160; &#160;Phase 3 – Contract Negotiation </em></p></blockquote><p style="text-align&#58;left;">Each contract with a third-party provider should clearly specify the rights and responsibilities of each party.&#160; Consistent with the risk category involved, the regulated entity should consider what level of legal review is necessary for contracts with third-party providers and should ensure that the attorneys conducting the review for a particular contract have the appropriate subject matter expertise or work in conjunction with appropriate subject matter experts. &#160;Copies of executed contracts should be retained for reference and record-keeping purposes.</p><p style="text-align&#58;left;">The regulated entity should consider the following when negotiating contractual provisions with third-party providers&#58;</p><ul style="list-style-type&#58;disc;"><li>The nature and scope of service; </li><li>Duration of service; </li><li>Performance standards and service levels; </li><li>Experience requirements of third-party providers and their contractors;</li><li>Cost and compensation, including the timing and procedures for payment and expense reimbursement;</li><li>Confidentiality, use, location, and security of information; </li><li>Business continuity and contingency plans and test results;</li><li>Intellectual property ownership, rights, and responsibilities; </li><li>Timely disclosure of conflicts of interest or potential conflicts of interest from the third-party provider;</li><li>Incident reporting and management;</li><li>Dispute resolution process (<em>e.g.</em> arbitration, mediation), termination, and remedies; and</li><li>Internal controls and audit reports.</li></ul><p>The regulated entity should address what constitutes nonperformance and the conditions under which the contract may be terminated by either party.&#160; The contract should also stipulate the circumstances for and responsibilities when termination occurs.&#160; If the regulated entity could no longer legally engage a third-party provider,<a href="#6">[6]</a> the contract should include a provision that enables the regulated entity to terminate the contract for regulatory noncompliance.&#160; </p><p style="text-align&#58;left;">The regulated entity should also ensure that contracts address compliance with the specific laws, regulations, and guidance applicable to the regulated entity, including the regulated entity's right to obtain necessary information to conduct ongoing risk assessments, as well as monitor performance and ensure contract compliance.&#160; Contracts should also address whether the regulated entity has the right to conduct periodic on-site reviews to verify compliance.&#160; If contracts allow for subcontracting, the regulated entity generally should seek to ensure that the primary third-party provider remains responsible for the performance of its subcontractors in accordance with the terms of the primary contract, and be notified of the identity of any material subcontractors, when appropriate. </p><p style="text-align&#58;left;">Contracts for third-party providers should address, as appropriate, the provider's responsibility for continuation of the product or service in the event of an operational failure, such as man-made and natural disasters.&#160; Contracts should address requirements for third-party providers to back up information and maintain disaster recovery and contingency plans with sufficiently detailed operating procedures.&#160; </p><p style="text-align&#58;left;">Other issues such as the maintenance of adequate insurance, ownership of data or licenses, privacy, and liability limitations should be considered, as applicable.&#160; For example, the regulated entity should consider potential legal and security risks to cross-border data storage, transmission, and processing.&#160;&#160;&#160;</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>D.&#160;&#160;&#160; Phase 4 – Ongoing Monitoring</em></p></blockquote><p style="text-align&#58;left;">The nature and extent of monitoring of the performance of third-party provider relationships should be commensurate with the level of risk.&#160; Management should also ensure that the regulated entity retains sufficient staff with the necessary expertise, authority, and accountability to oversee and monitor the third-party provider relationship.&#160; The approach (<em>e.g.</em>, on-site versus off-site review), depth, scope, and frequency of the monitoring and oversight activities should correspond to the risk category involved.&#160; If the regulated entity outsources any part of its monitoring and oversight, management is responsible for choosing a service provider appropriate for the entity's size, complexity, and risk environment.&#160; </p><p style="text-align&#58;left;">Ongoing monitoring should include the due diligence activities referenced in Phase 2 that apply to the particular third-party provider relationship.&#160; Management of the regulated entity should also consider whether the third-party provider is&#58;</p><ul style="list-style-type&#58;disc;"><li>Meeting service-level agreements, performance metrics, and other contractual terms; </li><li>Monitoring and evaluating subcontractor controls that are relevant to the contract work being performed;</li><li>Engaged in agreements with other entities that may pose a conflict of interest or present risks; </li><li>Performing periodic background checks; and</li><li>Complying with applicable legal and regulatory requirements, including documenting such compliance when necessary.</li></ul><p style="text-align&#58;left;">Because both the level and types of risks may change over the lifetime of a third-party provider relationship, a regulated entity should ensure that its ongoing monitoring adapts accordingly.&#160; Periodic assessments should be conducted to determine whether the product or service remains necessary or relevant to the regulated entity's mission or operations.&#160; Each regulated entity should also periodically assess existing third-party provider relationships to determine whether the nature of the product or service provided has changed, resulting in the need for re-designation to a new risk category. &#160;Management should review existing third-party provider contracts to determine whether the terms and conditions address current risks associated with having the product or service supplied by the third-party provider.&#160; Where concerns are identified, the regulated entity should consider addressing those concerns by negotiating an amendment to the contract where appropriate, or revising the contract prior to a renewal. &#160;</p><p style="text-align&#58;left;">When a regulated entity identifies concerns through ongoing monitoring, it should seek to resolve the issues at the earliest opportunity.&#160; Management should ensure procedures exist to escalate issues such as service agreement performance, material weaknesses and repeat audit findings, deterioration in financial condition, security breaches, data loss, or compliance lapses.&#160; Additionally, management should ensure that the regulated entity's controls for managing these risks from third-party provider relationships are tested regularly.&#160; Weaknesses identified that substantively increase the risk to the regulated entity should be reported to the board based on an assessment of the level of associated risk.</p><p style="text-align&#58;left;">Any assessments and analyses performed during this phase should be documented, as well as any regular risk management and performance reports received from the third-party provider (<em>e.g.</em>, audit reports, security reviews, and reports about compliance with service-level agreements).</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <em>E.&#160;&#160;&#160;&#160; Phase 5 – Termination</em></p></blockquote><p style="text-align&#58;left;">The terms of each contract will govern how a regulated entity or a third-party provider may terminate the contractual relationship.&#160; A regulated entity may wish to terminate a third-party provider relationship for various reasons, including&#58;&#160;</p><ul style="list-style-type&#58;disc;"><li>Expiration, completion, or satisfaction of the contract;</li><li>Breach of contract;</li><li>To engage an alternate third-party provider;</li><li>To discontinue the product or service; </li><li>To bring the product or service in house; or</li><li>To comply with an FHFA order directing suspension of the third-party provider relationship. </li></ul><p style="text-align&#58;left;">Each regulated entity should have strategies and contingency plans in place to terminate third-party provider relationships in an efficient manner that minimizes risk to the regulated entity, whether the outsourced product or service is transitioned to another third-party provider, brought in house, or discontinued. The regulated entity should consider&#58;</p><ul style="list-style-type&#58;disc;"><li>The capabilities, resources, and time frames required to transition the product or service while still managing legal, regulatory, and other risks;</li><li>Risks associated with data retention and destruction, information system connections and access control issues, or other control concerns that require additional risk management and monitoring during and after the end of the third-party provider relationship;</li><li>Intellectual property ownership, rights, and responsibilities, as well as the handling of any joint intellectual property developed during the course of the arrangement; </li><li>The return of any regulated entity's information in the third-party provider's possession after voluntary or involuntary termination of the contract;</li><li>Reputational risks to the regulated entity if the termination results from the third-party provider's inability to meet expectations; and</li><li>Roles and assistance with transfer or wind down of the outsourced product or service upon termination.</li></ul><p style="text-decoration&#58;underline;"> <strong> <em>Related Guidance</em></strong></p><p>12 CFR Part 1236 Prudential Management and Operations Standards, Appendix. </p><p> <em>Cloud Computing Risk Management, </em>Federal Housing Finance Agency Advisory Bulletin 2018-04, August 14, 2018.</p><p> <em>Oversight of Multifamily Seller/Servicer Relationships</em>, Federal Housing Finance Agency Advisory Bulletin 2018-05, August 14, 2018.</p><p> <em>Information Security Management</em>, Federal Housing Finance Agency Advisory Bulletin 2017-02, September 28, 2017.</p><p> <em>Internal Audit Governance and Function</em>, Federal Housing Finance Agency Advisory Bulletin 2016-05, October 7, 2016.</p><p> <em>Data Management and Usage,</em> Federal Housing Finance Agency Advisory Bulletin 2016-04, September 29, 2016.</p><p> <em>Information Technology Investment Management,</em> Federal Housing Finance Agency Advisory Bulletin 2015-06, September 21, 2015.</p><p> <em>Oversight of Single-Family Seller/Servicer Relationships, </em>Federal Housing Finance Agency Advisory Bulletin, 2014-07, December 1, 2014.</p><p> <em>Operational Risk Management,</em> Federal Housing Finance Agency Advisory Bulletin, 2014-02, February 18, 2014. </p><p> <em>Model Risk Management, </em>Federal Housing Finance Agency Advisory Bulletin 2013-07, November 20, 2013.</p><p> <em>Contingency Planning for High-Risk or High-Volume Counterparties</em>, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013.</p><p>___________________________________________<br></p><p> <a name="1">[1]</a> The OF is not a “regulated entity&quot; as the term is defined by statute (<em>see </em>12 U.S.C. 4502(20)).&#160; However, for convenience, references to the “regulated entities&quot; in this AB should be read to also apply to the OF.&#160; </p><p> <a name="2">[2]</a> This AB does not apply to business arrangements through which a FHLBank provides products or services to its members or housing associates, or to a FHLBank's business arrangements with sponsors participating in its Affordable Housing Program.&#160; &#160;</p><p> <a name="3">[3]</a> 12 CFR 1239.11(a).</p><p> <a name="4">[4]</a> 12 CFR 1239.10(a).</p><p> <a name="5">[5]</a> 12 CFR 1223.2, 1223.21.</p><p> <a name="6">[6]</a><em>See, e.g.</em>, 12 CFR Part 1227.</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to&#58;&#160;<a href="mailto&#58;SupervisionPolicy@fhfa.gov.f">SupervisionPolicy@fhfa.gov</a>.</p></td></tr></tbody></table>​<br></blockquote></blockquote></blockquote>9/28/2018 6:30:25 PMHome / Supervision & Regulation / Advisory Bulletins / Oversight of Third-Party Provider Relationships Advisory Bulletin AB 2018-08:  OVERSIGHT OF THIRD-PARTY PROVIDER 816https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Interest Rate Risk Management25813FHLB & Fannie Mae & Freddie Mac9/28/2018 4:00:00 AMAB 2018-09<div class="custom-contentTypeContent"><div aria-labelledby="ctl00_PlaceHolderMain_ctl04_label" style="display&#58;inline;"><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​ADVISORY BULLETIN</strong></p><p> <strong>AB 2018-09&#58; INTEREST RATE RISK MANAGEMENT</strong></p></td></tr></tbody></table><p style="text-decoration&#58;underline;"> <strong><em><br>Purpose</em></strong></p></div></div><p>This advisory bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance for interest rate risk management at the Federal Home Loan Banks (Banks), Fannie Mae, and Freddie Mac (the Enterprises), collectively known as the regulated entities. &#160;This guidance supersedes the Federal Housing Finance Board's advisory bulletin, <em>Interest Rate Risk Management</em> (AB 2004-05).&#160; Interest rate risk management is a key component in the management of market risk.&#160; These guidelines describe principles the regulated entities should follow to identify, measure, monitor, and control interest rate risk. &#160;The AB is organized as follows&#58;</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p>I.&#160;&#160;&#160;Governance</p></blockquote><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> A. Responsibilities of the Board</p><p> B. Responsibilities of Senior Management</p><p>C. Risk Management Roles and Responsibilities</p><p>D. Policies and Procedures</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> II.&#160;&#160; Interest Rate Risk Strategy, Limits, Mitigation, and Internal Controls</p></blockquote><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p>A. Limits</p><p>B. Interest Rate Risk Mitigation</p><p>C. Internal Controls</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p>III.&#160;Risk Measurement System, Monitoring, and Reporting</p></blockquote><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p>A. Interest Rate Risk Measurement System</p><p>B. Scenario Analysis and Stress Testing</p><p>C. Monitoring and Reporting</p></blockquote><p> <span style="text-decoration&#58;underline;"> <strong> <em>Background</em></strong></span></p><p>Interest rate risk is the risk that changes in interest rates may adversely affect financial condition and performance.&#160; More specifically, interest rate risk is the sensitivity of cash flows, reported earnings, and economic value to changes in interest rates.&#160; As interest rates change, expected cash flows to and from a regulated entity change.&#160; The regulated entities may be exposed to changes in&#58;&#160; the level of interest rates; the slope and curvature of the yield curve; the volatilities of interest rates; and the spread relationships between assets, liabilities, and derivatives.&#160; Interest rate risk may include repricing risk, basis risk, option risk, option-adjusted spread (OAS) risk, prepayment risk, and model risk.&#160; Excessive interest rate risk can threaten liquidity, earnings, capital, and solvency.&#160; </p><p>The regulated entities can manage interest rate risk with respect to economic value of equity, earnings, or both. &#160;These approaches are complementary because they provide different types of relevant information, but each has limitations.&#160; The economic value of equity represents the underlying net market value (or net present value) of a regulated entity's assets and liabilities, including any off-balance sheet items.&#160; A common risk management objective is to keep the market value of equity from falling below pre-specified limits over a range of interest rate scenarios.&#160; One limitation of this approach is that market value measures do not identify when future earnings problems may occur.&#160; When the focus is on earnings, the risk management objective is to maintain earnings within an acceptable range over specified time horizons, which are generally short-term, ranging from one year to five years. &#160;If the objective is to ensure that net income will remain within certain parameters during the given time period over a range of interest rate scenarios, management overlooks risks that exist beyond the forecast horizon.</p><p>FHFA's general standards for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Appendix to Part 1236, four of which are relevant to managing interest rate risk.&#160; Standard 3 (Management of Market Risk Exposure) highlights the expectation for each regulated entity to have a clearly defined and well-documented strategy for managing market risk and establishes responsibilities for the board of directors or delegated board committee (board) and senior management.&#160; Standard 4 (Management of Market Risk – Measurement Systems, Risk Limits, Stress Testing, and Monitoring and Reporting) includes guidelines for market risk management in these areas.&#160; Standard 2 (Independence and Adequacy of Internal Audit Systems) and Standard 8 (Overall Risk Management Processes) include responsibilities for internal audit, the board, and senior management along with an independent risk management function. </p><p style="text-decoration&#58;underline;"> <strong><em>Guidance</em></strong></p><p>Each regulated entity's risk management practices should enable it to identify, measure, monitor, and control its interest rate risk exposures. &#160;An effective interest rate risk management function includes appropriate management of risk exposure, policies and procedures, risk limits, internal controls, risk measurement systems, monitoring, and reporting.&#160; A regulated entity should periodically review industry standards with regard to interest rate risk management.</p><h2><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <strong>I.&#160;&#160;&#160;&#160;&#160;&#160; Governance</strong></p></blockquote></h2><p>The board and senior management should ensure that the regulated entity has in place appropriate policies, procedures, and internal controls for managing and controlling the regulated entity's exposure to interest rate risk.&#160; The board should oversee the adequacy of senior management's actions.&#160; Senior management should also ensure the regulated entity's risk measurement, monitoring, and reporting systems are reliable and effective.&#160; </p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>A.&#160;&#160;&#160;&#160; Responsibilities of the Board </em></p></blockquote><p>The board should oversee the adequacy of actions taken by senior management to identify, measure, manage, control, and report on interest rate risk exposures. &#160;The board should establish the regulated entity's tolerance for interest rate risk, approve major interest rate risk limits, and provide management with clear guidance regarding the level of acceptable interest rate risk.&#160; The board should approve major strategies and policies relating to the management of interest rate risk. &#160;The board should ensure such major strategies and policies are consistent with the regulated entity's overall business plan. </p><p>The board should review interest rate risk exposures on a periodic basis. &#160;Reports provided to the board should include appropriate details to allow the board to remain sufficiently informed about the nature and level of the regulated entity's interest rate risk exposures in light of current market conditions, established risk limits, operating performance, and other relevant factors.&#160; As a group, the board should have the requisite knowledge and background to assess the information provided and recommend further actions. </p><p>At least annually, or more frequently if there are significant changes in market or financial conditions, the board should review the interest rate risk management framework and major policies, limits, and internal controls. &#160;The regulated entity's risk tolerance; management's compliance with risk limits; results of stress tests; the level of the regulated entity's capital; and the effectiveness of the risk management framework, measurement systems, and reporting systems should inform the board's review of the risk limits.&#160; The board should document any changes to board-approved interest rate risk limits in its minutes.&#160; The board should also ensure that management takes appropriate corrective measures when interest rate risk limit breaches occur.&#160;&#160;&#160; </p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>B.&#160;&#160;&#160;&#160; Responsibilities of Senior Management</em></p></blockquote><p>Senior management implements board-approved strategies and policies relating to the management of interest rate risk.&#160; Senior management should ensure interest rate risk policies and procedures are clearly written, sufficiently detailed, adhered to, periodically reviewed, and should recommend updates for board approval, as appropriate.&#160; Senior management should ensure adequate organizational structure, systems, and resources are available to manage and control interest rate risk, and that personnel are appropriately trained and competent.</p><p>Senior management should periodically review and discuss with the board information regarding the nature and level of the regulated entity's interest rate risk exposures. &#160;Senior management should inform the board of how changing market conditions could affect interest rate risk exposure.&#160; The discussions should be sufficient in detail and timeliness to permit the board to understand and assess the management and control of the regulated entity's interest rate risk exposures.&#160; Senior management should report interest rate risk limit breaches to the board and identify appropriate remedial actions. &#160;Senior management should make the board aware of the advantages and disadvantages of the regulated entity's chosen interest rate risk management strategy and alternative strategies.&#160; </p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>C.&#160;&#160;&#160;&#160; Risk Management Roles and Responsibilities</em></p></blockquote><p>Policies and procedures should delineate the roles and responsibilities of persons assigned to measure, manage and control interest rate risk so they operate with sufficient independence from the business units, as applicable. &#160;&#160;</p><p>Business units encounter interest rate risk on a daily basis and should follow policies and procedures when taking steps to manage and maintain interest rate risk within approved limits.&#160; Senior management, through an asset and liability management (or similar) committee, is responsible for managing and controlling interest rate risk. </p><p>The risk management function, or unit, is responsible for interest rate risk measurement, risk monitoring, and independent oversight, including the establishment and enforcement of board-approved interest rate risk limits.&#160; It should also be responsible for ensuring that the business units have effective processes in place to identify, assess, monitor, and report on key interest rate risks. The chief risk officer must report regularly to the risk committee and to the chief executive officer.<a href="#1">[1]</a>)</p><p>Internal audit should conduct periodic evaluations of internal controls around interest rate risk management. &#160;Internal audit should conduct risk-based audits of the regulated entity's interest rate risk management and determine whether management promptly addresses findings or weaknesses regarding interest rate risk management.&#160; Internal audit should review adherence to interest rate risk management policies and procedures. </p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>D.&#160;&#160;&#160; Policies and Procedures</em></p></blockquote><p>A regulated entity should have interest rate risk management policies and procedures appropriate for its risk profile.&#160; This includes being clearly written, sufficiently detailed, formally approved at the appropriate level, and, as applicable, periodically reviewed by the board and senior management.&#160; Approved policies and procedures should include defined interest rate risk limits and assign lines of authority and responsibility for managing interest rate risk. &#160;Procedures should exist for monitoring compliance with limits and to follow up on instances of noncompliance or breaches.&#160; &#160;&#160;</p><p>Management should ensure that policies and procedures to identify and manage inherent risks are sufficient before undertaking new products, offerings, or activities.&#160; </p><p>The regulated entity should also have policies and procedures for any management, ad hoc, or “on top&quot; adjustments to model-generated interest rate risk metrics, and provide clear instructions on needed approvals and documentation requirements.&#160; The documentation should explain the adjustment and the reason it is necessary as well as how long it will be required.&#160; The regulated entity's enterprise risk management or another authorized management risk committee should be made aware of, and approve, any major management, ad hoc, or “on top&quot; adjustments to interest rate risk metrics.</p><h2><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <strong>II.&#160;&#160;&#160;&#160;&#160;&#160; Interest Rate Risk Strategy, Limits, Mitigation, and Internal Controls</strong></p></blockquote></h2><p>A regulated entity should have a clearly defined and well-documented strategy for managing and mitigating interest rate risk, consistent with its overall business plan.&#160; The regulated entity should identify, manage, monitor, and control interest rate risk exposures on a business unit and an enterprise-wide basis.</p><p>It is incumbent on the regulated entity to understand the adopted strategy's impact on financial condition, whether the objective is to control risk to economic value of equity, earnings, some other target, or a combination thereof.&#160; Overemphasis on one approach may not be optimal and may lead to problems over time.&#160; For example, meaningful declines in the market value of equity to the book value of equity ratio, prospective earnings, or related indicators may signal interest rate risk management weaknesses, even if these declines occur within the context of low reported risk and compliance with approved policies and limits.</p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>A.&#160;&#160;&#160;&#160; Limits</em></p></blockquote><p>A regulated entity should establish an interest rate risk framework that includes interest rate risk metrics, a comprehensive set of board-approved interest rate risk limits, and management threshold levels, set below board limits, to serve as warning triggers and initiate discussion regarding risk levels. &#160;The risk limits should be consistent with the regulated entity's risk profile, profitability objectives, and liquidity and capital needs.&#160; Limits should not be set so far above actual risk exposures that they are meaningless or have no effect on risk taking behavior. &#160;The regulated entity should also maintain a record of all limit breaches.</p><p>Different metrics used for setting interest rate risk limits may include, as applicable&#58; &#160;duration of equity, convexity of equity, volatility duration, market value sensitivity to yield curve parallel moves and twists, key-rate duration, maturity gap of assets and liabilities, prepayment duration, spread duration, market value of equity to par value of capital stock, market value of equity to book value of equity, retained earnings, net interest income sensitivity, and Value at Risk.&#160; A regulated entity should understand the advantages and disadvantages of the interest rate risk limits framework it has chosen to utilize.</p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>B.&#160;&#160;&#160;&#160; Interest Rate Risk Mitigation</em></p></blockquote><p>A regulated entity should mitigate interest rate risk to keep risks within approved levels and should be able to identify problems that occur even when risks are within approved levels.&#160; For example, a regulated entity should be able to recognize significant accumulating losses from interest rate risk, explain the causes of losses, and manage risk exposure at some point even if the regulated entity is in compliance with approved strategy, policies, and limits.&#160; </p><p>A regulated entity can mitigate interest rate risk through a variety of strategies including&#58; matched funding, funding with debt having embedded options, hedging using derivatives, and building retained earnings. &#160;Matched funding allows a regulated entity to match the maturity of its assets and liabilities. &#160;Funding with debt having embedded options could allow regulated entities to mitigate exposures of assets with explicit and implicit options such as mortgages.&#160; Hedging using derivatives allows the regulated entity to mitigate interest rate risk by changing its cash flows and economic exposure stemming from certain changes in interest rates. &#160;Building retained earnings allows the regulated entity to have a larger capital base to absorb the impact of an adverse interest rate change.&#160; Having a robust net interest income stream also allows a regulated entity to absorb the effects of adverse interest rate movements. </p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>C.&#160;&#160;&#160;&#160; Internal Controls </em></p></blockquote><p style="text-align&#58;left;">A regulated entity should have sufficient internal controls around interest rate risk management.&#160; The internal control process should aim to ensure effective and efficient management of interest rate risk; reliable measurement of interest rate risk; reliable reporting and communication of interest rate risk; and compliance with applicable statutes, regulations, and policies governing interest rate risk.&#160; Additionally, internal controls should support periodic reviews and evaluations of policies and procedures as well as the accuracy and reliability of risk measurement systems.</p><p style="text-align&#58;left;">A regulated entity should monitor the adequacy and effectiveness of its internal controls and information systems on an ongoing basis through a formal self-assessment process.&#160; Business units, enterprise risk management, and internal audit should conduct periodic evaluations of internal controls for interest rate risk management. &#160;</p><h2><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p> <strong>III.&#160;&#160;&#160;&#160;&#160;&#160; Risk Measurement System, Monitoring, and Reporting</strong></p></blockquote></h2><p>The regulated entities should choose which method(s) to use to measure interest rate risk. &#160;Methods may include&#58; Duration Analysis, Earnings Simulation Analysis, Earnings at Risk, Capital at Risk, Value at Risk, Economic Value of Equity, or other methods. &#160;Generally, a regulated entity would measure interest rate risk by valuing its assets, liabilities, derivatives, and off-balance sheet exposures in different interest rate environments.&#160; A regulated entity should understand the advantages and disadvantages of its chosen interest rate risk measurement method(s). </p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>A.&#160;&#160;&#160;&#160; Interest Rate Risk Measurement System </em></p></blockquote><p>A regulated entity should have an interest rate risk measurement system (<em>i.e.</em>, a model or set of models) that captures all material sources of interest rate risk, including repricing risk, yield curve risk, basis risk, prepayment risk, and option risk. &#160;The sophistication of the risk measurement system should be commensurate with the complexity of the financial instruments held by the regulated entity.&#160; The risk measurement system should also provide meaningful and timely measures of the regulated entity's risk exposures and use generally accepted financial concepts, valuation methodologies, and risk measurement techniques. &#160;</p><p>The risk measurement system should be capable of valuing all of the regulated entity's assets and liabilities, including off-balance sheet positions and derivatives, and estimating the effect of changes in interest rates and other key risk factors on the regulated entity's earnings and market value of equity over a range of scenarios.&#160; A regulated entity should properly document and bring to management's attention instances where the risk measurement system cannot reliably value an instrument or requires a model workaround.&#160; Any management, ad hoc, or “on top&quot; adjustments to model output should be made according to approved procedures.&#160; The measurement system should use directly or indirectly observed market prices for its estimates of market values where feasible.&#160; A regulated entity should test new products to verify the risk measurement system can properly measure the exposure of the new product.&#160; </p><p>Periodically, enterprise risk management or another authorized management risk committee should review the interest rate risk measurement system for accuracy and reliability, including comparison to actual portfolio behaviors when feasible.&#160; Management should ensure the integrity and timeliness of the data inputs used to measure interest rate risk exposures and that assumptions and parameters are reasonable and properly documented.&#160; Management should also understand strengths and weaknesses of the model(s) used, including sensitivity to changes in key assumptions. &#160;</p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>B.&#160;&#160;&#160;&#160; Scenario Analysis and Stress Testing</em></p></blockquote><p style="text-align&#58;left;">A regulated entity should routinely conduct scenario analysis as a part of interest rate risk management as it relates to market value measures and net income measures.&#160; Scenarios should include increasing and decreasing parallel and nonparallel interest rate shocks of varying magnitudes as well as an instantaneous and gradual steepening and flattening of the yield curve.&#160; The regulated entity should also consider changes in prepayment speeds for mortgage-related instruments, volatility for securities impacted by interest rate volatility, and relevant interest rate spreads for different securities.&#160; The scenarios should identify the main exposures within a regulated entity's interest rate risk profile.&#160; A regulated entity could perform analysis to identify which assumptions or inputs cause the largest impact. </p><p>A regulated entity should perform periodic stress testing of interest rate risk management positions. &#160;The stress scenarios should include interest rate shocks and shifts in the economic environment that are of a magnitude such that it tests the effectiveness of the interest rate risk management of the regulated entity.&#160; These stress scenarios should vary over time.&#160; The regulated entity should include scenarios conducted for its annual strategic business plan or annual stress testing as applicable. </p><p style="text-align&#58;left;">The regulated entity should give special consideration to financial instruments or markets where it has significant concentrations, financial instruments in which a regulated entity's position may be more difficult to unwind or hedge during periods of market stress, and complex financial instruments with embedded options that may be more difficult to evaluate in stressful scenarios.</p><p style="text-align&#58;left;">If management or the board finds the results from the scenario analysis or stress testing unacceptable, management should determine a course of action and may need to modify, rebalance, or hedge so that performance would be acceptable under the identified scenarios.&#160; The board and senior management should periodically review the design of the stress tests to ensure that they capture conditions where the regulated entity is most vulnerable.</p><blockquote style="margin&#58;0px 0px 0px 60px;padding&#58;0px;border&#58;currentcolor;"><p> <em>C.&#160;&#160;&#160;&#160; Monitoring and Reporting</em></p></blockquote><p>A regulated entity should routinely monitor and report interest rate risk exposures using scenario analysis to business unit managers, senior management, and the board at a level appropriate for each.&#160; The interest rate risk reports should be accurate, informative, and timely.&#160; The reports should show adherence to approved interest rate risk policies and limits and any exceptions or breaches of limits and policies. The reports should identify and explain limit breaches. </p><p>The interest rate risk reports should reflect and show trends in measures used to evaluate interest rate risk management objectives.&#160; Reports should show the market value of the regulated entity's assets, liabilities, and off-balance sheet exposures, including derivatives, under a range of scenarios.&#160; With respect to earnings, reports should show net income over a specified time horizon under various scenarios. &#160;Reports should also include backtesting results to compare past forecasts, or risk estimates, with actual results. &#160;&#160;</p><p>Interest rate risk reports should identify any changes to risk models and model assumptions, describe the rationale for the changes, and analyze their impact on risk measures and risk limits.&#160; Interest rate risk reports should also note any management, ad hoc, or “on top&quot; adjustments to interest rate risk models, the reason for the adjustment, and the start and expected end date for the use of the adjustment.&#160; </p><p style="text-decoration&#58;underline;"> <strong><em>Related Guidance</em></strong></p><p> <em>Model Risk Management Guidance, </em>Federal Housing Finance Agency, Advisory Bulletin AB-2013-07, November 20, 2013.</p><p> <em>Internal Audit Governance and Function</em>, Federal Housing Finance Agency, Advisory Bulletin AB-2016-05, October 7, 2016.</p><p>Appendix to 12 CFR Part 1236 - Prudential Management and Operating Standards.&#160; </p><p>12 CFR Part 1239 – Responsibilities of Board of Directors, Corporate Practices, and Corporate Governance.&#160; </p><p>________________________<br></p><p> <a name="1">[1]</a> 12 CFR 1239.11(c)(5)&#160;&#160; </p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to&#58;&#160;<a href="mailto&#58;SupervisionPolicy@fhfa.gov.f">SupervisionPolicy@fhfa.gov</a>.</p></td></tr></tbody></table>​<br> 9/28/2018 6:35:25 PMHome / Supervision & Regulation / Advisory Bulletins / Interest Rate Risk Management Advisory Bulletin AB 2018-09: INTEREST RATE RISK MANAGEMENT The AB is organized as follows 486https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Liquidity Risk Management25675Fannie Mae & Freddie Mac8/22/2018 4:00:00 AMAB 2018-06<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​ADVISORY BULLETIN</strong></p><p> <strong>AB 2018-06</strong><br></p><p> <strong>LIQUIDITY RISK MANAGEMENT</strong><br></p></td></tr></tbody></table><p></p> <br> <p> <strong style="text-decoration&#58;underline;"><em></em></strong></p><p style="text-decoration&#58;underline;"><strong><em>Purpose&#160;</em></strong></p><p>This advisory bulletin (AB) communicates to Fannie Mae and Freddie Mac (the Enterprises) the Federal Housing Finance Agency’s (FHFA) guidance for the management of liquidity risk. Strong liquidity risk management supports safe and sound operations by enabling the Enterprises to meet their financial obligations when they come due without incurring unacceptable losses.&#160;</p><p>This advisory bulletin summarizes the principles of sound liquidity risk management, and, where appropriate, aligns with the regulation of other financial intermediaries. FHFA expects the Enterprises to use liquidity metrics that are commensurate with their funds management strategies and provide a comprehensive view of their liquidity risk to ensure that sufficient funds are available at a reasonable cost to meet potential demands.&#160;</p><p>This AB supersedes AB 2014-01 (<em>Liquidity Risk Management</em>).&#160;</p><p> <br> </p><p style="text-decoration&#58;underline;"><strong><em>Background&#160;</em></strong></p><p>Liquidity risk is the risk that an Enterprise will be unable to meet its financial obligations as they come due without incurring unacceptable losses. Strong liquidity risk management enables an Enterprise to be financially sound to perform its public mission and to limit and control shortfalls in cash. The guidance emphasizes the importance of cashflow projections, diversified funding sources, stress testing, a cushion of liquid assets, and a formal, well-developed contingency funding plan as primary tools for measuring and managing liquidity risk.&#160;</p><p>The standards for safe and sound operations for the Enterprises are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR part 1236. Standard 5 (Adequacy and Maintenance of Liquidity and Reserves) states that each Enterprise should establish a liquidity management framework, articulate liquidity risk tolerances; and establish a process for identifying, measuring, monitoring, controlling, and reporting its liquidity position and liquidity risk exposures. In addition, Standard 5 includes guidelines for conducting stress tests to identify sources of potential liquidity strain and guidelines for establishing contingency funding plans.&#160;</p><p>Standard 8 (Overall Risk Management Processes) states the expectation for the Enterprises to establish risk management practices that measure, monitor, and control liquidity risk. The PMOS describe responsibilities of boards of directors and management for all Standards.</p><p>&#160;</p><p style="text-decoration&#58;underline;"><strong><em>Guidance&#160;</em></strong></p><p>Each Enterprise is expected to be able to identify, measure, monitor, control, and report its liquidity exposures by accurately identifying both existing and emerging risks, and quantifying the primary sources of liquidity risk. Effective liquidity risk management should include&#58;&#160;</p><ul><li>Adequate board of directors (board) and senior management oversight;&#160;<br></li><li>Appropriate liquidity management policies, procedures, and limits;&#160;<br></li><li>Appropriate risk measurement methodology, monitoring, and reporting systems; and&#160;<br></li><li>An effective contingency funding plan.&#160;<br></li></ul><p>The Enterprise should address risks unique to it with regard to liquidity, such as access to debt markets and the ability to sell or repurchase securities during a crisis.&#160;<br></p><p><strong>Board of Directors and Senior Management Oversight&#160;</strong></p><p>An Enterprise’s board is ultimately responsible for the liquidity risk assumed by the Enterprise and for guiding the strategic direction of liquidity risk management. The board, or a committee thereof, should establish and approve appropriate liquidity risk tolerances and limits, and oversee management’s establishment and approval of liquidity management strategies, policies, and procedures. The board should review these at least annually. In addition, the board is expected to have an understanding of the Enterprise’s business activities and associated liquidity risk. The board should understand the cash inflows and outflows that dictate an Enterprise’s liquidity needs (e.g., trust remittance cycle, guarantee fee, cash window, and mortgage purchase commitments). The board is expected to ensure that senior management has the necessary expertise to effectively manage liquidity risk. <a href="#1">[1]</a>​&#160;</p><p>Senior management oversees the daily and long-term management of liquidity risk. As part of an effective liquidity risk management program, senior management&#58;&#160;<br></p><ul><li>Develops liquidity risk management strategies, policies, and practices for approval by the board;&#160;<br></li><li>Implements sound internal controls for managing liquidity risk;&#160;<br></li><li>Establishes effective information systems and contingency funding plans; and&#160;<br></li><li>Establishes reporting systems that produce timely and accurate information on the Enterprise’s liquidity position and sources of risk exposure, including concentration risk, and provides regular reports to the board.&#160;<br></li></ul><p>These responsibilities may be delegated to a board-approved management committee.&#160;<br></p><p>The Enterprise’s organizational structure should clearly assign responsibility, authority, and relationships for managing liquidity risk and management should ensure that personnel are competent and appropriately trained with regard to the Enterprise’s established systems, policies and tolerances.&#160;</p><p>FHFA expects a Treasury unit to be responsible for the ownership and management of the liquidity risk limits. The unit should also be responsible for the identification, assessment, mitigation, control, monitoring, and reporting of liquidity risk, and for the Enterprise’s adherence to risk policies, standards, and limits.&#160;</p><p>A risk management unit should be responsible for the independent oversight and monitoring of liquidity risk. The risk management unit’s responsibilities would normally include&#58;&#160;</p><ul><li>Ensuring that risk limits for liquidity risk are meaningful, assessing liquidity risk against key risk indicators;&#160;<br></li><li>Independently reporting on liquidity risk issues;&#160;<br></li><li>Escalating liquidity risk breaches;&#160;<br></li><li>Stress testing liquidity risk limits;&#160;<br></li><li>Providing senior management and the board with reports on liquidity risk management and gaps between supervisory guidance, industry sound practices, and practices at the Enterprise; and&#160;<br></li><li>Ensuring that the Treasury unit has an effective process in place to identify, assess, monitor, and report on key liquidity risks.&#160;<br></li></ul><p><strong>Appropriate Liquidity Management Policies, Procedures, and Limits&#160;</strong><br></p><p>A robust set of liquidity risk management policies would appropriately include&#58;&#160;</p><ul><li>Standards regarding day-to-day operational liquidity needs;&#160;<br></li><li>Plans for dealing with contingent liquidity needs, including potential temporary, intermediate-term, and long-term liquidity disruptions;&#160;<br></li><li>Board-established liquidity risk tolerances, and procedures establish steps to manage the risk exposures within those limits.<br></li><li>Methodology for determining the Enterprise’s operational and contingency liquidity needs;&#160;<br></li><li>Characteristics of investments that can be held for liquidity purposes;&#160;<br></li><li>Identification of investments that can be liquidated with minimal loss during times of stress;&#160;<br></li><li>Provisions for documenting and periodically reviewing assumptions used in liquidity projections;&#160;<br></li><li>Contingency funding plan for the Enterprise’s ability to access capital markets during periods of market stress; and&#160;<br></li><li>The nature and frequency of liquidity risk reporting for management and the board.&#160;<br></li></ul><p>Liquidity risk tolerances or limits should be appropriate for the complexity and liquidity risk profile of the Enterprise and should employ quantitative targets. These limits, tolerances, and guidelines will be most effective if they include items such as&#58;&#160;<br></p><ul><li>Discrete or cumulative cashflow mismatches or gaps (sources and uses of funds) over specified future short- and long-term time horizons under both expected and adverse business conditions. These may be expressed as cashflow coverage ratios or as specific aggregate amounts;&#160;<br></li><li>Target amounts of unpledged, high-quality liquid asset reserves expressed as aggregate amounts or as ratios;&#160;<br></li><li>Asset concentrations, especially with respect to more complex exposures that are illiquid or difficult to value, e.g. the size of the position relative to the depth of the market;&#160;<br></li><li>Funding concentrations that address diversification issues, such as dependency on a few sources of borrowed funds; and&#160;<br></li><li>Contingent liability metrics, such as amounts of unfunded commitments and lines of credit relative to available funding.&#160;<br></li></ul><p><strong>Appropriate Risk Measurement Methodology, Monitoring, and Reporting Systems</strong>&#160;<br></p><p>FHFA expects an Enterprise’s measurement of liquidity to include metrics for intraday liquidity, short-term cash needs (e.g., 30 days), access to collateral to manage cash needs over the medium term (e.g., 365 days), and a general congruence between the maturity profiles of the assets and liabilities. An Enterprise should also consider common industry practices and regulatory standards. <a href="#2">[2]</a>&#160;</p><p>FHFA expects that an Enterprise’s measurement systems should reasonably measure liquidity exposures, identify potential liquidity shortfalls, and simulate various market scenarios, including stress scenarios. Measurement systems should include robust models for projecting cashflows and an Enterprise’s liquidity needs over appropriate time horizons, ranging from intraday to longer-term liquidity needs of one year or more. These systems are expected (i) to measure tenor, liquidation costs, time to liquidate assets, and liquidity provider concentrations to ensure that reliance on certain funding structures or sources of funds is appropriately identified and controlled, and (ii) to capture all significant on- and off-balance sheet items and be adjusted as products or risks change.&#160;<br></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p><em>A. Cashflow Modeling&#160;</em></p></blockquote><p>Since an Enterprise’s cashflows depend on choices mortgage borrowers make to prepay or extend their obligations, managing liquidity risk will be facilitated by the Enterprises’ use of pro forma cashflow statements. Pro forma cashflow analysis can be used to project sources and uses of funds under various liquidity scenarios to identify potential funding gaps. In determining potential liquidity needs and risk management strategies, the possibility of losses and deterioration in valuations from potential credit and market events should be considered. The Enterprise should account for this in assessing the feasibility and impact of asset sales on its liquidity position during stress events. Stress events should include national and regional events and cases where the catastrophic events occur simultaneously. The Enterprise should be able to calculate all of its collateral positions in a timely manner, including the value of assets currently pledged relative to the amount of security required and unencumbered assets available to be pledged. The Enterprise should be aware of the operational and timing requirements associated with accessing collateral given its physical location (i.e., the custodian entity or securities settlement system with which collateral is held). The Enterprise should also fully address the potential demand for additional collateral arising from various types of contractual contingencies during periods of both market-wide and Enterprise idiosyncratic stress.&#160;<br></p><p>To capture a variety of stresses, management's pro forma cashflow analysis should incorporate multiple scenarios that consider the general and unique risks faced by the Enterprise.&#160;</p><p>Assumptions used in pro forma cashflow projections should be reasonable and appropriate, adequately documented, and periodically reviewed by the appropriate risk management unit and the model oversight group at the Enterprises. Assumptions should consider a wide range of potential outcomes with regard to the stability of borrowings and securitization. Sensitivity tests&#160;</p><p>should be performed to measure the effects that material changes to assumptions would have on related accounts.&#160;</p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p><em>B. Management Reporting&#160;</em></p></blockquote><p>To effectively fulfill senior management’s responsibilities with respect to liquidity risk management, it is necessary that senior management receive sufficient reports on Enterprise’s liquidity risk management. An Enterprise should generate such reports at least monthly, including the level and trend of the Enterprise’s liquidity risk; and to report to the board, or a board committee, quarterly. If liquidity risk is high, or if it is moderate and increasing, more frequent reports are likely to be called for. Reportable items may include&#58;&#160;<br></p><ul><li>Cashflow gaps;&#160;<br></li><li>Asset and funding concentrations;&#160;<br></li><li>Critical assumptions used in cashflow projections;&#160;<br></li><li>Key early warning or risk indicators;&#160;<br></li><li>Funding availability;&#160;<br></li><li>Status of contingent funding sources; and&#160;<br></li><li>Collateral usage.&#160;<br></li></ul><p><strong>Contingency Funding Plan (CFP)&#160;</strong><br></p><p>Funding decisions can be influenced by unplanned events. Such events include the inability to fund asset growth; difficulty renewing or replacing funding as it matures;<a href="#3">[3]</a>​ the exercise of options by customers to prepay or to draw down lines of credit; legal or operational risks; the demise of a business line; and market disruptions. Funding and investment strategies that are concentrated in one or two business lines or relationships, such as the Enterprises’ strategies, typically are at greater risk of being disrupted by adverse events.&#160;</p><p>An Enterprise should examine contracts and arrangements associated with major lines of business and funding sources to identify low-probability/high-impact events that could adversely affect liquidity. Contingency plans that incorporate practical solutions that can be adopted quickly to address such contingencies as they arise will minimize exposure to such events.&#160;</p><p>An Enterprise’s CFP should be customized to the liquidity risk profile of the Enterprise, and should identify the types of stress events which may be faced. The overall impact of a given stress event should be considered, including both direct and indirect effects. To be effective in mitigating foreseeable stress events, the CFP should&#58;&#160;</p><ul><li>Define responsibilities and decision-making authority so that all personnel understand their role during a problem-funding situation;&#160;<br></li><li>Include an assessment of the possible liquidity events that an Enterprise might encounter;&#160;<br></li><li>Detail how management will monitor for liquidity events, typically through stress testing of various scenarios in a pro forma cashflow format; and&#160;<br></li><li>Identify and assess the adequacy of contingency funding sources. The plan should identify any back-up facilities (lines of credit), the conditions and limitations to their use, and the circumstances where the Enterprise might use such facilities. Management should understand the various legal, financial, and logistical constraints, such as notice periods, collateral requirements, or net worth covenants, that could affect the Enterprise’s ability to use back-up facilities. They should test back-up facilities annually.&#160;<br></li></ul><p>CFPs are particularly important in institutions such as the Enterprises that rely on securitization. This is because an Enterprise’s income is generated from its volume of business. The Enterprises have contracts to purchase fixed volumes of loans from mortgage originators, and they are dependent on the To Be Announced (TBA) market to generate corresponding cash inflows. CFPs are expected to address scenarios where securitization or asset sales become rapidly unavailable. The Enterprise should have plans in place to address disruptions in the capital markets that would result in delayed sales of loans as well as required increases in retained interests and other credit enhancements.&#160;</p><div>​<br></div><p></p><p style="text-decoration&#58;underline;"> <strong><em>Related Guidance&#160;</em></strong></p><p>12 CFR part 1720 Safety and Soundness Standards, August 30, 2002.&#160;</p><p>12 CFR part 1236 Prudential Management and Operations Standards, Appendix.&#160;</p><p>12 CFR Part 249 Liquidity Coverage Ratio&#58; Liquidity Risk Measurement Standards, October 10, 2014.&#160;</p><p>12 CFR part 1239 Responsibilities of Boards of Directors, Corporate Practices, and Corporate Governance, December 21, 2015.&#160;<br></p><p>Proposed Rule on Net Stable Funding Ratio&#58; Liquidity Risk Measurement Standards and Disclosure Requirements, 81 FR 35124 through 35183, June 1, 2016.&#160;</p><p><em>Model Risk Management Guidance</em>, Federal Housing Finance Agency Advisory Bulletin 2013-07, November 20, 2013.&#160;</p><p><em>Liquidity Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin 2014-01, February 18, 2014 (superseded).<br></p><p> <br> </p><hr /> <br> <p> <a name="1">[1]</a> Liquidity risk management policies and procedures should establish the roles and responsibilities of groups involved in liquidity risk management, and have clear escalation procedures in the event of a breach of the liquidity limits. This would include board-level risk limits and action plans in the event of a breach of risk limits. The standards for board governance in 12 CFR part 1239, FHFA’s Corporate Governance Rule, were issued November 2015. Section 1239.11 addresses risk management.</p><p></p><p> <a name="2">[2]</a> On October 10, 2014, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation collectively issued a final rule that implemented a quantitative liquidity requirement, the Liquidity Coverage Ratio (LCR). 12 CFR part 50 (OCC); 12 CFR part 249&#160; (Regulation WW) (Federal Reserve Board); 12 CFR part 329 (FDIC). On June 1, 2016, the FFIEC interagency rule for the <a href="https&#58;//www.occ.gov/news-issuances/federal-register/81fr35124.pdf">Net Stable Funding Ratio&#58; Liquidity Risk Measurement Standards and Disclosure Requirements​</a> (NSFR) was proposed. 81 FR 35124 through 35183 (June 1, 2016). These sources address issues of short term liquidity (e.g., the adequacy of high quality assets holdings) and scale of mismatch of cashflows over the intermediate term. As of this date, the Net Stable Funding Ratio has not been adopted, but the proposal remains a useful reference point.&#160;</p><p> <a name="3">[3]</a> Critical rollover needs can be identified using funding ladders.<br></p><p> <br> </p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to&#58; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov​</a>.<br></p></td></tr></tbody></table>​<br><br>8/22/2018 9:23:35 PMHome / Supervision & Regulation / Advisory Bulletins / Liquidity Risk Management Advisory Bulletin This advisory bulletin (AB) communicates to Fannie Mae and Freddie Mac (the 733https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Cloud Computing Risk Management25572All8/15/2018 4:00:00 AMAB 2018-04<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​​​​ADVISORY BULLETIN</strong></p><p> <strong>AB 2018-04</strong><br></p><p> <strong>CLOUD COMPUTING RISK MANAGEMENT​</strong><br></p></td></tr></tbody></table>​<br> <p></p><p><strong style="text-decoration&#58;underline;"><em>Purpose​</em></strong><br></p><p>This advisory bulletin provides Federal Housing Finance Agency (FHFA) guidance to Fannie Mae, Freddie Mac, the Federal Home Loan Banks (FHLBanks), and the Office of Finance (OF) (collectively, the regulated entities)&#160; on assessing and managing risks associated with third-party cloud providers.&#160; Effective risk management of cloud providers is critical to safe and sound operations.&#160; Each regulated entity should use a risk-based approach across key areas listed below to meet FHFA supervisory expectations&#58;​<br></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>I.&#160;Governance</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>A. Responsibilities of the Board and Senior Management</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>B. Strategies, Policies, Procedures, and Internal Standards</p></blockquote></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>II. Third-Party Cloud Provider Management</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>A. Due Diligence Assessment</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>B. Service Agreements</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>C. Oversight and Ongoing Monitoring</p></blockquote></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>III. Information Security</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>A. Shared Responsibility for Security</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>B. Data Classification and Systems Security</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>C. Access Management</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>D. Incident Notification, Planning, and Response</p></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>E. Development and Testing Environments&#160;</p></blockquote></blockquote><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p>IV. Business Continuity Cloud Provider Management<br></p><p><br></p></blockquote><p><strong style="text-decoration&#58;underline;"><em>Background</em></strong></p><p><strong style="text-decoration&#58;underline;"><em></em></strong>Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.&#160; This model is composed of five essential characteristics (on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service), three service models (Software as a Service or SaaS, Platform as a Service or PaaS, and Infrastructure as a Service or IaaS), and four deployment models (private cloud, community cloud, public cloud, and hybrid cloud).</p><p>Relationships between cloud customers and their cloud providers are complex.&#160; Critical information and resource controls may shift from in-house operations to a third party, meaning the regulated entity and cloud provider share responsibility for safeguarding organizational information and systems.&#160; Additionally, cloud providers may have privileged access to organizational systems and information.&#160; Because of this shared responsibility, a regulated entity engaging with a cloud provider should take appropriate steps to manage associated third-party risks and revise the information security program to address risks specific to cloud computing.&#160; A regulated entity should also prepare for outages and failures that may hinder access to organizational information and systems that rely on cloud providers.<br></p><p>FHFA’s general standards for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Part 1236 Appendix.&#160; Three relevant PMOS articulate guidelines for a regulated entity’s board of directors and management to evaluate when establishing internal controls and information systems (Standard 1), overall risk management processes (Standard 8), and maintenance of adequate records (Standard 10).<br><br></p><p><strong style="text-decoration&#58;underline;"><em>Guidance</em></strong></p><p>FHFA expects each regulated entity to appropriately manage its cloud computing risks as part of its enterprise-wide risk management program,&#160; and in accordance with all relevant FHFA guidance.&#160; Application of this guidance by the regulated entity should correspond to the level of risk presented.&#160; The regulated entity’s evaluation of the level of risk should include the classification of the data hosted at the cloud provider, the criticality of the service(s) provided, service and deployment models used, and other risks associated with engaging a third-party cloud provider.</p><p>The regulated entity may establish a standalone cloud computing risk management program or subsume the governance and functions of cloud computing risk management under another established program.&#160; The complexity of and level of risk associated with the regulated entity’s cloud usage should inform the decision on whether the cloud computing risk management program should exist as a standalone program or is subsumed into other program(s).&#160; Because cloud computing affects several different areas of operations, those responsible for managing related risks should coordinate across different divisions to manage the third-party provider, information security, and business continuity risks.​<br></p><p><strong>I. Governance</strong></p><p>The governance of the cloud computing risk management program should consist of the cloud strategy, policies, procedures, and internal standards.&#160; If the regulated entity subsumes the governance of the cloud computing risk management program into other programs, the regulated entity should clearly communicate which strategies, policies, procedures, and internal standards apply.&#160; The complexity of and level of risk associated with the regulated entity’s cloud usage should inform whether the board or senior management approves the cloud computing strategy, policies, procedures, and internal standards.</p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p><em>A. Responsibilities of the Board and Senior Management</em></p></blockquote><p>The board of directors or a committee thereof (board) should provide oversight to the cloud computing risk management program.&#160; As part of that oversight, the board should understand the risks involved in the regulated entity’s use of cloud computing.&#160; The board should ensure that senior management fully understands the effects of shifting to a cloud computing environment and has appropriate expertise on managing those effects prior to engaging a cloud provider.&#160; The board should review the strategy or strategic plan that covers cloud computing and major policies relating to associated risks.</p><p>Senior management should develop and periodically update policies, procedures, and internal standards and implement the cloud computing risk management program.&#160; Senior management should also periodically report to the board about the nature of the regulated entity’s cloud computing risk, which may change significantly over time.</p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p><em>B. Strategies, Policies, Procedures, and Internal Standards</em></p></blockquote><p>Each regulated entity should establish and periodically update its cloud computing strategy, and evaluate its appetite for associated risks.&#160; The regulated entity’s current and planned cloud usage, including the extent and purpose, the classification of data stored on the cloud, and the choice of cloud service and delivery model, should inform the development of individual policies, procedures, and internal standards.&#160; Policies should describe appropriate uses for cloud computing.&#160; The regulated entity should evaluate and update policies, procedures, and internal standards so they are consistent with the cloud strategy and the regulated entity’s risk appetite.</p><p>The regulated entity should develop or update internal standards as a basis for managing and monitoring risks at levels consistent with the regulated entity’s risk appetite.&#160; The internal standards should establish the technical and operational criteria the regulated entity uses to evaluate cloud provider service agreements and controls, including criteria on performance and reliability in terms of availability, security, business continuity, and compliance.&#160; Where possible, internal standards should include metrics.&#160; The regulated entity should consider industry standards as well as its needs, capabilities, and risk appetite to inform the development of its internal standards.<br></p><p><strong>II. Third-Party Cloud Provider Management</strong></p><p>The regulated entities should take steps to mitigate the third-party risks arising from their use of cloud providers.&#160; The shared responsibility framework, heightened administrative privileges, standardized service model, and potential for vendor lock-in of cloud providers, result in new risks and complications to existing risks.&#160;</p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p><em>A. Due Diligence Assessment</em></p></blockquote><p>In addition to an evaluation of financial, operational, legal, compliance, and reputational risks of engaging the cloud provider, the regulated entity should evaluate whether and how shifting to a cloud computing environment affects risk.&#160; If warranted under the circumstances, the assessment should include a comparison with other cloud providers that offer comparable services.&#160; The results of due diligence assessments should frame service agreement negotiations and the regulated entity’s procedures and operations for managing provider-specific cloud computing risks.</p><p>The on-demand self-service and rapid elasticity of cloud service have the potential to result in substantial changes to the risks associated with a specific cloud provider when the service agreement has not changed.&#160; Consequently, due diligence assessments should occur for every cloud provider at contract inception and prior to any modifications in the level or type of services obtained that could result in significant increases to the regulated entity’s risk exposure.&#160; Policies on the frequency of due diligence assessments should also consider the rapid evolution in the market for cloud services.</p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p><em>B. Service Agreements</em></p></blockquote><p>Recognizing that each cloud computing use, complexity, and risk is unique, the details of the service agreement provisions may vary.&#160; Because cloud providers often use a standardized service model, the regulated entity may not be able to negotiate changes to the selected cloud provider’s standard service agreement.&#160; In cases where there are differences between the chosen cloud provider’s service agreement and the regulated entity’s policies and internal standards, the regulated entity should first consider alternative providers.&#160; If a regulated entity determines that no alternatives exist that meet the business need, the regulated entity should develop plans to mitigate or transfer any risks emanating from the differences to reduce the risk to an acceptable level.​</p><p>Service agreements with a cloud provider should define roles and responsibilities of the cloud provider and regulated entity.&#160; Service agreements should not restrict information technology, information security, and business continuity teams from effectively performing their responsibilities in the cloud environment, including monitoring and evaluating performance, protecting against and responding to security incidents, and supporting ongoing risk and compliance management.<br></p><p>Prior to executing a cloud computing service agreement, legal and information security experts who are knowledgeable about cloud computing should review the agreement to determine if the agreement exposes the regulated entity to unacceptable levels of risk.&#160; The review should include an assessment of significant contractual risk points for cloud computing, such as the dispute resolution process, confidentiality provisions, privacy policy, data residency, and any limitations on liability, indemnities, termination rights, and suspension rights.&#160; Additionally, the review should include a determination of whether and how the cloud provider may use regulated entity data for its own purposes.&#160; In accordance with a regulated entity’s policies and procedures, the regulated entity should re-evaluate service agreements periodically to determine whether they need to be updated.</p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p><em>C. Oversight and Ongoing Monitoring</em></p></blockquote><p>The regulated entity should implement and oversee ongoing monitoring to ensure compliance with the service agreement(s) and to evaluate the performance of the cloud provider.&#160; The regulated entity should track all cloud providers used, the approved cloud services, and usage of those services.&#160; Each entity should assess each cloud provider’s quality and performance in providing information security to protect data at rest and in transit and evaluate the timeliness and completeness of the provider’s communications.</p><p>If the regulated entity relies on monitoring and oversight provided by third parties, such as third party audit reports, the regulated entity should evaluate whether its contracted cloud services match the services evaluated in the outsourced monitoring and oversight.<br></p><p><strong>III. Information Security</strong></p><p>Migrating operations to the cloud may result in both new information security risks, such as from multi-tenancy risks, and complications to existing information security risks, such as risks stemming from privileged user access.&#160; The regulated entity should evaluate and revise its information security program to reflect its cloud computing environments, and it should, to the extent possible, extend information security governance, engineering, architecture, and operations to cloud computing environments and providers.</p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p><em>A. Shared Responsibility for Security</em></p></blockquote><p>The regulated entity and the cloud provider share responsibility for protecting data stored in the cloud.&#160; The regulated entity should understand its cloud security responsibilities, which may vary based on the provider and service model.&#160; In addition to any descriptions of the roles and responsibilities in the service agreement, the terms of the cloud provider’s information security standards and controls should inform the regulated entity of its responsibilities for protecting its cloud environment(s).&#160; The regulated entity should understand and mitigate, accept, or transfer the risks from any identified gaps in the cloud provider’s information security program.</p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p><em>B. Data Classification and Systems Security</em></p></blockquote><p>The data classification and the regulated entity’s risk appetite should inform the security requirements of specific data in the cloud.&#160; Prior to placing data in a cloud environment, the regulated entity should evaluate the appropriateness of its protections, such as encryption, and geographic location of data at rest and in transit.&#160; The regulated entity should assess compliance with its security policies through regular tests of key controls, systems, and procedures it uses for its cloud environment(s).</p><p>The regulated entity should comply with laws and other requirements that may restrict where data are stored and establish appropriate data storage controls designed to maintain data in the appropriate physical location.&#160; Additionally, there are substantial legal and security risks to storing data outside the United States.&#160; The regulated entity should evaluate its risk appetite, the applicable jurisdiction’s laws, and the regulated entity’s expertise in and ability to effectively mitigate the security and legal risks prior to permitting hosting data in a jurisdiction outside of the United States.<br></p><p>The service and deployment model may also inform decisions about security requirements.&#160; For example, some cloud environments share physical components and resources among disparate tenants using logical separation of data.&#160; To protect against multi-tenancy risks, the regulated entity should ensure that it and the cloud provider take steps such as using information technology services and systems to monitor applicable activity within the cloud environment.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p><em>C. Access Management</em></p></blockquote><p>Cloud computing environments may differ in access management configurations, so each regulated entity should take steps to ensure that identity and access management functions are configured properly.&#160; The regulated entity should evaluate the effectiveness of policies, procedures, and internal standards on identity and access management functions to protect against unauthorized or malicious use by the cloud provider.</p><p>The regulated entity should protect and secure cloud credentials.&#160; When encrypting data in the cloud, the regulated entity should protect and secure encryption keys in a manner consistent with the classification of the data they protect.​<br></p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p><em>D. Incident Notification, Planning, and Response</em></p></blockquote><p>The regulated entity should update its incident response plan(s) to include incidents that could arise from using cloud providers.&#160; Responding to incidents that occur in the cloud environment often requires coordination with the cloud provider.&#160; Notification requirements in the service agreement should define the criticality of the incidents the cloud provider should report and require the cloud provider to deliver timely notification of such incidents with sufficient detail to allow the regulated entity to take steps to prevent the expansion of an incident, mitigate its effects, or eradicate the incident in accordance with its incident response plan.</p><blockquote style="margin&#58;0px 0px 0px 40px;border&#58;none;padding&#58;0px;"><p><em>E. Development and Testing Environments</em></p></blockquote><p>Regulated entities that isolate testing and development environments may maintain less rigorous controls over these environments to increase flexibility for developers and testers.&#160; The regulated entity should revisit and, as appropriate, update policies, procedures, and internal standards for development and testing on the cloud to assess whether it has sufficient controls to maintain security at all phases of the development life cycle.</p><p><strong>IV. Business Continuity Cloud Provider Management</strong></p><p>Cloud computing services may experience outages and performance slowdowns.&#160; The regulated entity should configure its cloud usage for a level of availability and reliability appropriate for its intended use.&#160; Using a cloud provider for disaster recovery does not relieve the regulated entity of its business continuity responsibilities.&#160; Business continuity scenarios and associated plans should evaluate a variety of scenarios, including permanent cloud provider failure, as well as a range of short- to long-term disruptions.&#160; The regulated entity should test, using an appropriate testing method, its business continuity plan both prior to, and while relying on, the cloud provider(s) for operations.</p><p>Each regulated entity should consider the risk of using the same cloud provider for multiple critical services.&#160; If an FHLBank plans to rely on another FHLBank (e.g., Buddy Bank) for business continuity and both use the same cloud provider, these arrangements should be re-evaluated for the possibility of a simultaneous disruption.<br><br></p><p><em style="text-decoration&#58;underline;"><strong>Related Guidance</strong></em></p><p><em>Information Security Management</em>, Federal Housing Finance Agency Advisory Bulletin 2017-02, September 28, 2017.</p><p><em>Internal Audit Governance and Function</em>, Federal Housing Finance Agency Advisory Bulletin 2016-05, October 7, 2016.<br></p><p><em>Data Management and Usage</em>, Federal Housing Finance Agency Advisory Bulletin 2016-04, September 29, 2016.<br></p><p><em>Information Technology Investment Management</em>, Federal Housing Finance Agency Advisory Bulletin 2015-06, September 21, 2015.<br><em>Model Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin 2013-07, November 19, 2013.<br></p><p><em>Operational Risk Management</em>, Federal Housing Finance Agency Advisory Bulletin&#160;2014-02, February 18, 2014.&#160;</p><p>12 CFR Part 1236 Prudential Management and Operations Standards, Appendix.<br></p><p>​12 CFR Part 1239.11(a)(risk management program).<br></p><p><br></p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance.&#160; Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance.&#160; Questions about this advisory bulletin should be directed to&#58; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov​</a>.<br></p></td></tr></tbody></table><br>8/15/2018 3:30:01 PMHome / Supervision & Regulation / Advisory Bulletins / Cloud Computing Risk Management Advisory Bulletin This advisory bulletin provides Federal Housing Finance Agency (FHFA 796https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Oversight of Multifamily Seller/Servicer Relationships25577Fannie Mae & Freddie Mac8/15/2018 4:00:00 AMAB 2018-05<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>​​​​​ADVISORY BULLETIN</strong></p><p> <strong>AB 2018-05</strong><br></p><p> <strong>OVERSIGHT OF ​MULTIFAMILY SELLER/SERVICER RELATIONSHIPS​</strong><br></p></td></tr></tbody></table>​<br> <p></p> <p> <span style="text-decoration&#58;underline;"> </span> <strong style="text-decoration&#58;underline;"> <em>Purpose&#160;</em></strong></p><p>This advisory bulletin communicates to Fannie Mae and Freddie Mac (the Enterprises) the Federal Housing Finance Agency’s (FHFA) supervisory expectations to maintain the safety and soundness of their operations by effectively managing multifamily Seller/Servicer relationships.</p><p> <span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;color&#58;#444444;">FHFA expects each Enterprise to assess financial, operational, legal, compliance, and reputational risks associated with its multifamily Seller/Servicer counterparties and take appropriate action to mitigate those risks or reduce Enterprise exposures. Counterparty risk management, as part of a board-approved risk management framework, should include an Enterprise’s multifamily Seller/Servicer business operations.&#160;</span></p><div><p>This advisory bulletin is applicable to the counterparty risk management of third-party relationships managed by an Enterprise’s multifamily business unit. FHFA expects the Enterprises to institute proper controls and perform monitoring to identify and manage risks associated with any multifamily counterparty.<br><br></p><p> <span style="text-decoration&#58;underline;"></span><em style="text-decoration&#58;underline;"><strong>Background</strong></em></p><p>Each Enterprise uses a limited network of Seller/Servicers that originate and service multifamily loans. These loans can be retained in an Enterprise’s portfolio or used as the underlying collateral for securitizations usually sold to investors. Multifamily loans are generally larger than residential loans and have more complicated servicing requirements. Multifamily servicing requirements include performing periodic property inspections and collecting rent roll reports that are used to evaluate the value and stability of the underlying multifamily property. Multifamily loan servicing also presents risk factors such as determining net operating cash flow derived from a subject property, as well as calculating economic metrics (e.g., occupancy and vacancy rates, average monthly rents, and regional unemployment rates). Multifamily underwriting criteria include maximum loan-to-value and minimum debt service coverage ratios as the basis for approval.&#160;</p><p>The term Seller/Servicer, as used in this advisory bulletin, includes approved bank or nonbank entities with a contractual relationship with an Enterprise that originate and service multifamily loans. With Enterprise approval, a designated multifamily servicer can use a subservicer (a servicer that performs servicing on behalf of the servicer) to perform the servicing administration of a loan for a fee. Multifamily Seller/Servicers routinely engage in all aspects of a loan’s lifecycle. Nonbank multifamily Seller/Servicers include publicly traded or privately owned commercial real estate companies.<br><br></p><p> <span style="text-decoration&#58;underline;"> </span> <strong style="text-decoration&#58;underline;"> <em>​Guidance</em></strong></p><p><strong style="text-decoration&#58;underline;"><em></em></strong>Oversight of multifamily Seller/Servicer relationships should be part of a risk management framework that includes periodic evaluation of counterparty financial performance; operational risk factors; and legal, compliance, and reputational risks. That information is used in the approval and ongoing monitoring of multifamily Seller/Servicers to ensure compliance with Enterprise guidelines. An effective risk management framework helps management achieve an Enterprise’s performance and profitability targets and prevent financial loss. It also should promote appropriate reporting and compliance with laws and regulations and help to avoid damage to the Enterprise’s reputation and associated consequences.&#160;</p><p> <strong>Risk Management Framework</strong></p><p>A risk management framework is an important element of corporate governance. Further, an effective risk management framework includes policies that support risk-related decision making. As outlined in Standard 8 of the Prudential Management and Operations Standards (PMOS), prudent risk management processes address the general responsibilities of the board of directors and senior management. The board is responsible for establishing and overseeing a robust risk management governance structure whereas management is responsible for the development, implementation, and maintenance of the risk management framework.&#160;</p><p>A risk management framework considers each multifamily Seller/Servicer’s lifecycle to include selection of Seller/Servicers; (due diligence including eligibility validation); ongoing monitoring (performance, compliance reviews, and training schedules); and corrective action (remediation, suspension, or termination).&#160;</p><p>Policies and procedures should be tailored to the oversight of multifamily Seller/Servicers to enable an Enterprise to consistently identify, measure, monitor, and control aggregate and emerging risks. Established policies should outline the role and responsibilities of the first line business units and the second line, enterprise risk management (ERM), which oversees risk management and assesses risk independent of the first line units. The responsibilities for risk&#160;ownership, management, control, oversight, and assurance should be clearly understood by both the first line business unit and the ERM group. Policies and procedures should also address the frequency of reporting, escalation, and tracking of policy exceptions or waivers by the Enterprise’s senior management team to the board of directors or committee thereof, depending on the issue and risk exposure to the Enterprise.&#160;</p><p>In addition, policies should address the remediation of deficiencies or weaknesses identified in performance standards or in particular risk areas, as appropriate. The policies should also set standards for taking timely corrective action against a multifamily Seller/Servicer depending on the level and seriousness of the findings.&#160;</p><p> <strong>Selection of Multifamily Seller/Servicers</strong></p><p>Due diligence, including research and analysis of a multifamily Seller/Servicer’s financial condition, operational capabilities, and reputation, is expected before approving a multifamily Seller/Servicer. The Enterprise should evaluate the factors referenced below in the due diligence process, in addition to compliance with eligibility requirements, to assess the strength of the Seller/Servicer.&#160;</p><p> <em>Financial Risk Factors</em></p><p>Financial risk can result from a weak or deteriorating financial performance or condition, adverse market conditions, or extraordinary events. Effective counterparty risk management includes evaluation of a potential Seller/Servicer’s financial condition to assess its ability to continue operations based on components of its capital base, sources of revenue, profit margins, liquidity sources, and cash flow. These factors should be evaluated periodically or as warranted through ongoing monitoring to determine whether a Seller/Servicer has the capacity to meet its financial obligations. The Enterprises should consider the following in assessing potential risks to an Enterprise from each multifamily Seller/Servicer’s financial condition, as appropriate&#58;&#160;</p><ul><li>The Seller/Servicer’s ability to perform through various market conditions;&#160;<br></li><li>Ability of the Seller/Servicer to meet loss sharing obligations, if applicable;&#160;<br></li><li>Capability of the Seller/Servicer’s management;&#160;<br></li><li>Internal risk management structure of the Seller/Servicer;&#160;<br></li><li>Industry reputation, product mix, geographic diversity, and estimated loan production volumes;&#160;<br></li><li>The Seller/Servicer’s corporate structure, ownership, and any special financial arrangements;<br></li><li>​Quality of the loan portfolio, when the underwriting function is delegated, or servicing performance; and&#160;<br></li><li>Adequacy of the Seller/Servicer’s fidelity bond and errors and omissions insurance coverage that protects the Enterprises from losses resulting from dishonest or fraudulent acts committed by the lender’s employed personnel or outside parties that provide services to the lender.&#160;<br></li></ul><p> <em>​Operational Risk Factors</em></p><p>Weak operations or controls can result in exposures to loss resulting from inadequate or failed processes, people, systems, or external events. Noncompliance with the selling and servicing agreements and guide requirements can also create operational risk exposures. Operational risk events may prevent a Seller/Servicer from fulfilling its obligations to an Enterprise pursuant to contractual terms.&#160;</p><p>The Enterprises should consider the following, as appropriate, in assessing each multifamily Seller/Servicer’s operational risk&#58;&#160;</p><ul><li>Ability of the servicing operations to absorb future growth in terms of staffing, facilities, and system infrastructure;&#160;<br></li><li>Overall servicing performance by the servicer or subservicers, including routine property inspections and collection of rent roll reports;&#160;<br></li><li>Adequacy of the Seller/Servicer’s information technology management program, including information security practices;&#160;<br></li><li>The Seller/Servicer’s business continuity, disaster recovery, and contingency planning to minimize any potential service disruptions;&#160;<br></li><li>The Seller/Servicer’s risk management program, including internal controls in conjunction with periodic reviews as well as post-closing loan reviews;&#160;<br></li><li>The Seller/Servicer’s management team’s experience level, tenure, and any possible influence by controlling shareholders; and&#160;<br></li><li>The Seller/Servicer’s oversight of its third-party service providers such as subservicers, information technology providers, brokers, and appraisers.&#160;<br></li></ul><p> <em>​Legal, Compliance, and Reputation Risk Factors</em></p><p>Legal, compliance, and reputation risks can exist as a result of, among other factors, noncompliance with laws or regulations or from non-adherence to sound industry practices or Enterprise selling and servicing agreements and guides. The Enterprises should consider the following in assessing the legal, compliance, and reputation risks associated with each multifamily Seller/Servicer, as appropriate&#58;&#160;</p><ul><li>Maintenance of appropriate federal and state charters or licenses required for, or relevant to, operating its business in the approved jurisdictions;&#160;<br></li><li>Scope of federal and state regulatory oversight and the Seller/Servicer’s compliance program for all applicable laws and regulations;&#160;<br></li><li>Record of compliance from publicly available information sources including past and pending legal actions; and&#160;<br></li><li>Information known or reasonably available to an Enterprise about any civil, criminal, or regulatory issues affecting the Seller/Servicer.&#160;<br></li></ul><p> <strong>Ongoing Monitoring</strong></p><p>Monitoring of multifamily Seller/Servicers is an essential component of managing the risks they pose to an Enterprise. Ongoing monitoring by an Enterprise should be guided by risk-based procedures that outline periodic reviews of critical information to assess a Seller/Servicer’s performance. The Enterprise’s risk-based process should be designed to ensure that the direction, depth​, and frequency of reviews is commensurate with each multifamily Seller/Servicer’s risk profile.&#160;</p><p>The review should be available for evaluation by staff performing oversight duties (ERM) and should take into account factors assessed during the approval process, as well as the following additional factors, as appropriate&#58;&#160;</p><ul><li>The number and volume of multifamily loans sold to and serviced for an Enterprise and the mix of various product types;&#160;<br></li><li>The quality of the servicing that is performed on behalf of an Enterprise;&#160;<br></li><li>The terms of any risk sharing arrangements in place, periodic review of accounts maintained by third parties, and reconciliation between risk sharing obligations and account balances;​<br></li><li>Whether the Enterprises have the ability to collect loan data from the Seller/Servicer, such as exception and waiver statistics, including documented justifications for waivers and results of ongoing performance reviews of those loans;&#160;<br></li><li>Verification of eligibility standards and other terms of business throughout the relationship;&#160;<br></li><li>Results of onsite reviews to validate compliance with the servicing guide, internal controls, and other contract provisions;&#160;<br></li><li>Accuracy, timeliness, and completeness of loan recordkeeping, including loan data systems and loan documentation, throughout the life of the loan; and&#160;<br></li><li>Changes in a Seller/Servicer’s senior management, business model, strategies, or practices.&#160;<br></li></ul><p> <strong>​Corrective Action</strong></p><p>The Enterprises have a range of remedies when dealing with a Seller/Servicer that fails to meet its contractual obligations. Clear communication between an Enterprise and a Seller/Servicer is critical in resolving areas that are not in compliance with issues outlined in the respective Seller/Servicer guide requirements. Each Enterprise should have established policies that include a process for taking timely remedial action to exercise contractual rights for termination, suspension, or restriction of activities with a Seller/Servicer. Enterprise policies should include standards for taking appropriate action against a Seller/Servicer that fails to meet an Enterprise’s standards of performance or that poses reputation risk because of noncompliance with applicable laws and regulations or unsound business practices.<br><br></p><p> <span style="text-decoration&#58;underline;"> </span> <strong style="text-decoration&#58;underline;"> <em>​Related Guidance</em></strong></p><p>12 CFR Part 1236 Prudential Management and Operations Standards, Appendix.&#160;</p><p> <em>Contingency Planning for High-Risk or High-Volume Counterparties</em>, Federal Housing Finance Agency Advisory Bulletin 2013-01, April 1, 2013.&#160;<br></p><p> <em>Oversight of Single-Family Seller/Servicer Relationships</em>, Federal Housing Finance Agency Advisory Bulletin 2014-07, December 1, 2014.<br><br></p></div><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>FHFA has statutory responsibility to ensure the safe and sound operations of the regulated entities and the Office of Finance. Advisory bulletins describe FHFA supervisory expectations for safe and sound operations in particular areas and are used in FHFA examinations of the regulated entities and the Office of Finance. Questions about this advisory bulletin should be directed to&#58; <a href="mailto&#58;SupervisionPolicy@fhfa.gov">SupervisionPolicy@fhfa.gov​</a>.<br></p></td></tr></tbody></table> <br>8/15/2018 5:55:06 PMHome / Supervision & Regulation / Advisory Bulletins / Oversight of Multifamily Seller/Servicer Relationships Advisory Bulletin This advisory bulletin communicates to Fannie 574https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Information Security Management19305All9/28/2017 4:00:00 AMAB 2017-02<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>ADVISORY BULLETIN</p><p>AB 2017-02<br></p><p>INFORMATION SECURITY MANAGEMENT<br></p></td></tr></tbody></table> <br> <p> <strong style="text-decoration&#58;underline;"><em>Purpose</em></strong><br></p><p></p><p>This advisory bulletin (AB) provides Federal Housing Finance Agency (FHFA) guidance on information security management for supporting a safe and sound operational environment and promoting the resilience of Fannie Mae, Freddie Mac, the Federal Home Loan Banks, and the Office of Finance (OF) (collectively, the regulated entities&#160;<a href="#ref1">[1]</a>).<br></p><p>The guidance in this AB is applicable to the regulated entities and is based on current regulatory and industry standards. It does not prescribe specific standards or technology solutions, but describes three main components of an information security program (program). Each regulated entity should use a risk-based approach across key areas listed below to meet FHFA supervisory expectations&#58;<br></p><p></p><p>I. Governance<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p>A. Roles and Responsibilities</p><p>B. Risk Assessments</p><p>C. Industry Standards</p><p>D. Cyber-Insurance</p></blockquote><p>II. Engineering and Architecture</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p>A. Network Security</p><p>B. Software Security</p><p>C. Endpoints</p></blockquote><p>III. Operations</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p>A. Continuous Monitoring</p><p>B. Vulnerability Management</p><p>C. Baseline Configuration</p><p>D. Asset Life Cycle</p><p>E. Awareness and Training</p><p>F. Incident Response and Recovery</p><p>G. User Access Management</p><p>H. Data Classification and Protection</p><p>I. Third-Party Oversight</p><p>J. Threat Intelligence Sharing</p></blockquote><div> <br> </div><p>This AB on information security management supersedes AB 2014-05 (Cyber Risk Management Guidance) and the Office of Federal Housing Enterprise Oversight Policy Guidance PG-01-002 (Safety and Soundness Standards for Information).</p><p> <br> </p><p> <strong style="text-decoration&#58;underline;"> <em>Background</em></strong><br></p><p>Effective information security management protects the availability, integrity, and confidentiality of information in both electronic and physical form.&#160; Information security management encompasses the management of cyber risk, which focuses on protecting systems, operating locations, and risk related to cyber threats.&#160;&#160;<br></p><p>The frequency and sophistication of information security threats to the financial services industry increases the importance of information security management.&#160; Information security incidents can compromise sensitive, confidential, or personally identifiable information.&#160; Such incidents can affect the integrity and availability of business critical information and systems and expose an institution to risk.&#160; Each regulated entity’s risk appetite, policies, operational and technological practices, third-party relationships, governance structure, and the level of involvement of the board of directors (board) and senior management should support effective information security management.&#160; FHFA’s guidelines for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Appendix to Part 1236.&#160; Three relevant PMOS articulate guidelines for the board and management when establishing internal controls and information systems (Standard 1), overall risk management processes (Standard 8), and maintenance of adequate records (Standard 10).</p><p> <br> </p><p> <strong style="text-decoration&#58;underline;"> <em>Guidance</em></strong><br></p><p>FHFA expects the regulated entities to protect their information technology (IT) environments using a risk-based approach to determine the appropriate activities to include in a comprehensive program.&#160; The regulated entities may use third parties to perform information security activities, but that does not diminish their information security responsibilities.&#160; Although information security risks cannot be eliminated, they can be managed safely and soundly.</p><p> <br> </p><p> <strong>I. Governance</strong><br></p><p>Management at each regulated entity should align the program with the regulated entity’s enterprise risk management framework.&#160; The program should be comprehensive, involve board participation, and include repeatable and executable processes for managing information security risks and incidents.&#160; Each regulated entity should periodically evaluate its approach and appropriately document its program, ensuring that documentation is updated regularly to reflect changes to the program.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">A. Roles and Responsibilities</p></blockquote><p>The board is responsible for maintaining and prioritizing a strong information security culture, providing oversight of senior management’s information security risk management activities, and reviewing and approving the information security risk appetite and program.&#160; Delegation of any of these activities to a board-level committee does not relieve all board members of their responsibility to remain informed about how their entity’s information security management practices appropriately address potential risks, consistent with the established risk appetite.&#160;<br></p><p>Senior management is responsible for establishing and implementing a program consistent with the regulated entity’s risk appetite, developing and implementing policies, and supporting the board’s oversight responsibilities.&#160; The program should include procedures, guidelines, and periodic self-assessment activities, and should be proportional to the information security risks at institutional, business, and operational levels.&#160; Senior management should periodically evaluate and update the program, particularly when new risks or program weaknesses are identified.&#160; Furthermore, senior management should establish and maintain information security policies that prioritize information security management efforts in alignment with risk appetite, strategies, goals and objectives, escalation and security incident management procedures, and processes for how to assess and respond to information security risks and incidents.<br></p><p>Senior management should report to the board at least annually on the overall status of the program; any significant issues with their entity’s adherence and exceptions to applicable requirements and guidance; and significant emerging risks, strategies, and other information to ensure that information security management practices appropriately address potential risks.&#160; Management reports should address issues such as risk assessments, risk management and control decisions, third-party relationships, results of testing, security breaches or violations and management’s responses, and recommendations for changes in the program.&#160;&#160;</p><p>A Chief Information Security Officer or equivalent (CISO) should head the program at each regulated entity.&#160; The CISO is responsible for overseeing and reporting on the management and mitigation of information security risks.&#160; The CISO should have appropriate independence, authority, and resources to carry out the responsibilities of the position.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">B. Risk Assessments</p></blockquote><p>Each of the regulated entities should conduct periodic risk assessments of its program to identify, understand, and prioritize information security risks relevant to business operations, including assessments of third parties and IT architecture.&#160; Enterprise-wide risk assessments should identify internal and external threats that, alone or in tandem, could result in unauthorized access and subsequent loss, alteration, or exploitation of sensitive, confidential, or personally identifiable information.&#160; The risk assessment should identify the likelihood and potential impact of these threats as well as the residual risk of impact after considering controls and mitigating factors.&#160;&#160;<br></p><p>As part of risk assessments, each of the regulated entities should identify and prioritize which risks to avoid, accept, mitigate, or transfer.&#160; Periodic information security gap analyses should be conducted and reported to the board with steps to promptly remediate gaps.&#160; Management should also establish and maintain a waiver process that includes risk identification and compensating controls for remediation activities that do not comply with policy.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">C. Industry Standards</p></blockquote><p>Each regulated entity’s program should align with appropriate industry standards (e.g., standards promulgated by National Institute of Standards and Technology and International Organization for Standardization) commensurate with the complexity and risk profile of the entity.&#160; Each regulated entity should periodically review its program to verify that it reflects industry standards.&#160; Management should identify and address any gaps between the program and chosen industry standard(s) and should document the rationale for accepted risks.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">D. Cyber-Insurance</p></blockquote><p>If the regulated entity uses an insurance policy to transfer part of the financial exposure of an information security incident, management should understand the extent of coverage, conditions of coverage, and requirements governing the reimbursement of claims and report on them to the board.&#160;&#160;</p><p> <br> </p><p> <strong>II. Engineering and Architecture</strong></p><p>Security engineering and architecture address risks to an IT environment by building security into an information system.&#160; Each regulated entity should design its information networks, software, and Internet-capable devices at the network boundary commensurate with identified information security risks and consistent with the entity’s risk appetite.&#160; The designs should include defense in depth, access control, and separate production and non-production IT environments.&#160;&#160;</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">A. Network Security</p></blockquote><p>The regulated entities should design their networks to allow for continuously monitored network systems that provide a view into operational controls and include the ability to provide timely remediation.&#160; The design of the network should include network segmentation, proxy hosts, firewalls, demilitarized zones, intrusion detection and prevention systems, security zones, and virtual private networks.&#160; FHFA expects the regulated entities to place log generating devices and sensors throughout their respective networks and feed security logs to a security information and event management device for continuous monitoring.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">B. Software Security</p></blockquote><p>Effective software security requires selecting, implementing, and monitoring appropriate controls to restrict end users’ ability to install and modify software.&#160; Each of the regulated entities should integrate application code reviews, security testing, and secure deployment to its development processes.&#160; Each of the regulated entities should also consider other activities such as threat modeling and static code analysis for high-risk, custom application development.&#160; Policies and device and network controls should ensure that users download software only from approved sites.&#160; Each regulated entity should assess and protect against the risks of using open source software (OSS) solutions, including an evaluation of the reliability of the source of the OSS solution.&#160; Such an assessment is particularly important when using OSS without strong support communities.&#160; Each regulated entity should also address user-developed technologies with end-user development policies that include inventory, classification, and testing policies and enforce change and access control.</p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">C. Endpoints</p></blockquote><p>The program should have requirements to secure any organization-owned endpoint using private networks, access control, intrusion detection and prevention, vulnerability scanning, virus protection, and data encryption.&#160; Use of personal devices such as laptops, tablets, and smart phones present security risks that each regulated entity’s program should fully address.&#160; FHFA expects management to establish and maintain policies for all devices with network access, including employee-, contractor-, and guest-owned devices, and to engineer network and software solutions to manage risks associated with these devices.&#160; The programs should require all users of endpoints connected to regulated entity systems to follow such policies and maintain an information security culture.&#160; Restrictions on resources and applications, segregation of personal data from the regulated entity’s data, and real-time monitoring, such as endpoint detection and response capabilities should be incorporated into the program.</p><p>Each regulated entity’s program should include policies addressing the use of all configurable media and hardware that have access to the regulated entity’s information.&#160; This may include any removable media, personal devices, laptops, printers, and scanners.&#160; The policy should restrict transfers of information to and from removable media to prevent unwanted disclosure of the regulated entities’ information and to protect the IT environment.</p><p>&#160;<br></p><p> <strong>III. Operations</strong></p><p>Security operations provide essential protection of information systems by monitoring, assessing, and defending such systems from threats and harm, and security solutions should be engineered into information systems.&#160; Each regulated entity’s program should apply a defense in depth approach to operational security practices on an ongoing basis, including system monitoring, vulnerability management, baseline maintenance, asset life cycle procedures, staff training, incident response and recovery, access management, data protection, third-party oversight, and threat intelligence sharing.&#160; Additionally, the regulated entities should monitor their physical facilities, including monitoring for exposure to environmental threats.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">A. Continuous Monitoring</p></blockquote><p>An effective program should include continuous monitoring of systems to detect anomalies as well as successful and attempted attacks, including unauthorized activity on or intrusion into information systems.&#160; The program should define monitoring procedures, roles, and responsibilities, and a process for evaluating the effectiveness of identified controls.&#160; Operational security monitoring includes network, physical event, and user activity monitoring.&#160; The regulated entities should use operational security monitoring to mitigate the risks of insider threats.&#160;&#160;<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">B. Vulnerability Management</p></blockquote><p>Vulnerability management is an essential component of the program and should include both regular vulnerability assessments and the timely remediation of vulnerabilities that exceed the risk appetite.&#160; Unsupported or out-of-date systems, assets, and applications should be identified, monitored, and addressed within a vulnerability management process.&#160; Patches should be reviewed through a testing and approval process prior to deploying fixes.&#160; Procedures should require management’s approval, impact analysis, and justification for any accepted vulnerabilities or vendor-provided upgrades or patches not implemented internally.&#160; Identified vulnerabilities that present considerable risk require prompt analysis and timely approval and remediation.</p><p>The regulated entity should regularly test the effectiveness of key controls, systems, and procedures used to protect against information security risks through vulnerability scanning, internal and external audits, and penetration testing.&#160; Management should develop and maintain risk-based policies that define the scope and frequency of regular tests.&#160; The policies should also define triggers, such as significant changes to technologies or a security incident that will result in tests of key controls, systems, and procedures.&#160; Independent parties may conduct and review such tests.&#160; Procedures should be in place to track and independently validate the remediation of identified vulnerabilities.&#160; Results from these tests should inform updates to the program.&#160;&#160;<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">C. Baseline Configuration</p></blockquote><p>The program should include maintenance of accurate and complete inventories of IT assets and systems as well as baseline configurations of assets and systems.&#160; The program should include a formal change management process for baseline configuration adjustments to address such changes.&#160; The regulated entities should establish and maintain security standards for technology platforms and use tools to automatically compare such standards to the actual configuration of deployed assets and notify appropriate person(s) responsible for security operations of any unapproved changes.&#160;&#160;<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">D. Asset Life Cycle</p></blockquote><p>The program should include procedures to define, inventory, maintain, protect, and retire systems and technologies to support continued operations and normal business processes.&#160; Additionally, all systems should have life cycle plans that provide details on procurement, inventory maintenance, ownership, retirement, and disposal.&#160; The program should include procedures requiring documentation of maintenance schedules and repairs on assets in accordance with manufacturer or vendor specifications and internal requirements.&#160; The policies on asset maintenance should also define roles and responsibilities for approving removal of, or changes to, an IT asset, recovery of all information prior to maintenance, and verifying all security controls function after maintenance.&#160;&#160;<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">E. Awareness and Training</p></blockquote><p>Consistent with a strong information security culture, the program should include enterprise-wide information security awareness and training processes appropriate to each of the regulated entities’ systems, size, and complexity.&#160; The program should provide that personnel, including third parties with access to the regulated entities’ IT systems, receive general and role-based training on the policies and procedures governing the use of information systems, potential security threats (e.g., phishing), and how management enforces information security policies.&#160; The board should receive training appropriate with its oversight role.&#160; The program should address the expected frequency of awareness and training events, and role-based training qualifications.&#160; All employees and contractors are responsible for maintaining an information security culture involving the protection of the regulated entities’ information and systems.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">F. Incident Response and Recovery</p></blockquote><p>The program should include an incident response plan that documents the triggers, procedures, roles and responsibilities, and resources for eradicating and/or limiting the expansion of an information security incident and minimizing its effects.&#160; Incident response plans should address both physical and cyber events that could affect the availability, confidentiality, and integrity of information.&#160; Repeatable and executable procedures to respond to information security incidents should be proportional to the characteristics of the identified exposures.&#160; These procedures should prioritize and establish resiliency requirements for critical services and dependencies, be rehearsed and tested, identify criteria for escalation and reporting, and define scenarios that would result in the execution of the business continuity program.</p><p>The incident response plan should include an incident recovery plan that identifies person(s) responsible for initiating the recovery plan, defines criteria that must be met to return compromised services and technology to the network, and explains how to document the decisions and actions taken for future reference.&#160; Recovery operations should reflect mission and business priorities, recovery point/time and reconstitution objectives, and established organizational metrics.&#160;&#160;</p><p>The incident response plan should address how to coordinate communication with internal and external stakeholders about response and restoration activities.&#160; Additionally, incident response and recovery activities should have sufficient follow-up analyses to determine whether procedures were followed and the actions taken were adequate.&#160; These analyses should include investigating detection system notifications, understanding the impact of incidents, performing forensics, and classifying the incidents.&#160; These analyses should use indicators to appropriately quantify the impact of the incident and feed into remediation plans and risk management reporting.&#160;&#160;</p><p>Follow up analyses should identify areas of improvement for future updates to incident response plans.&#160; An independent party (e.g., internal audit or an outside consultant) should periodically validate the implementation and effectiveness of incident response and recovery activities.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">G. User Access Management</p></blockquote><p>The program should define policies and procedures to grant, revoke, monitor, and regularly review appropriate access for all users.&#160; Access should be based on the minimum rights required for the identified business purpose, or least privilege.&#160; The program should establish and maintain a process governing access control of and documenting reasons for using shared accounts.&#160; Terminated or transferred users with different role requirements should be removed promptly.&#160; The program should include maintenance of access logs to effectively monitor user activity.</p><p>User access security controls should include logical and physical access controls, password safeguards, monitoring for unauthorized changes to IT systems or applications, and network encryption as appropriate.&#160; Each regulated entity should consider whether to adopt additional solutions, including segregation of duties, configuration management, change management, identification and authentication management, and background investigation checks.&#160; Operating locations should be physically secured and designed to deny unauthorized access to facilities, equipment, data, and resources.</p><p>Logical access controls, including remote access management, should restrict remote access usage to that defined in and allowed by relevant policies.&#160; Monitoring of remote access should include the identification of remote access devices that attach to systems.&#160; Furthermore, logical access controls should have security features with an appropriate level of sophistication to authenticate users that connect to the network.&#160;<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">H. Data Classification and Protection</p></blockquote><p>Each of the regulated entities possesses sensitive, confidential, or personally identifiable information that it needs to protect from loss, alteration, or exploitation.&#160; Classification of such information based on importance and sensitivity should guide their determination of the appropriate level of protection.&#160; Management should establish and maintain policies that address where sensitive, confidential, or personally identifiable information may reside; how to manage and use that information; and how to transmit, transport, protect, and dispose of that information.</p><p>Each of the regulated entities may protect information through a variety of means, such as using front and back end controls on user access, encryption, verification tools to detect unauthorized changes to data, and data loss prevention measures.&#160; Each of the regulated entities should evaluate the effectiveness of protection and preventative measures regularly.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">I. Third-Party Oversight</p></blockquote><p>FHFA expects the regulated entities to understand and manage the risks of third-party access to or maintenance of institutional information.&#160; The information security policies and level of sensitivity and access to information should inform third party security responsibilities.&#160; Each regulated entity’s program should include policies and procedures, contractual assurance for security responsibilities, controls, reporting, nondisclosure of data, and incident notification requirements.&#160; Each regulated entity should define when information security incidents should result in substituting or replacing services provided by third parties, if feasible.</p><p>When using a technology service provider (TSP), such as a cloud computing or technology solutions provider, each of the regulated entities should review the TSP’s information security programs and select a TSP that is consistent with established risk tolerances.&#160; In its selection, each regulated entity should consider the TSP’s abilities to identify and mitigate cyber threats to data and operational infrastructure, effectively carry out incident response procedures to cyberattacks, and perform adequate business continuity resilience.<br></p><blockquote style="margin&#58;0px 0px 0px 40px;padding&#58;0px;border&#58;currentcolor;"><p style="text-decoration&#58;underline;">J. Threat Intelligence Sharing</p></blockquote><p>The Cybersecurity Information Sharing Act of 2015 encourages information sharing between the federal government and other recognized organizations.&#160; Sharing and receiving technical information, such as threat indicators and emerging risks, promotes financial sector resiliency and provides the regulated entity additional situational awareness to remain current in their defenses.&#160; Each of the regulated entities should participate in and incorporate information from external coordination efforts relevant to their respective operations.<br></p><p> <br> </p><p> <strong style="text-decoration&#58;underline;"> <em>Related Guidance</em></strong><br></p><p> <em> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Data-Management-and-Usage.aspx">Data Management and Usage</a></em>, Federal Housing Finance Agency Advisory Bulletin AB-2016-04, September 29, 2016.<br></p><p> <em> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Information-Technology-Investment-Management.aspx">Information Technology Investment Management</a></em>, Federal Housing Finance Agency Advisory Bulletin AB-2015-06, September 21, 2015.</p><p> <em>Cyber Risk Management Guidance</em>, Federal Housing Finance Agency Advisory Bulletin AB-2014-05, May 19, 2014 (superseded).<br></p><p> <em> <a href="/SupervisionRegulation/AdvisoryBulletins/Pages/AB-2014-02-OPERATIONAL-RISK-MANAGEMENT.aspx">Operational Risk Management</a></em>, Federal Housing Finance Agency Advisory Bulletin AB-2014-02, February 18, 2014.&#160;</p><p> <a href="https&#58;//www.ecfr.gov/cgi-bin/text-idx?SID=4789529b5c4a4e95899da27516cdc49e&amp;mc=true&amp;node=pt12.10.1233&amp;rgn=div5">12 CFR Part 1233 Reporting of Fraudulent Financial Instruments</a>, February 11, 2013.<br></p><p> <a href="https&#58;//www.ecfr.gov/cgi-bin/text-idx?SID=7d165130b500cae028042a9b47b757aa&amp;mc=true&amp;node=pt12.10.1236&amp;rgn=div5">12 CFR Part 1236 Prudential Management and Operations Standards</a>, June 8, 2012.<br></p><p> <em>Safety and Soundness Standards for Information</em>, Office of Federal Housing Enterprise Oversight Policy Guidance PG-01-002, December 19, 2001 (superseded).<br></p><p> <br> </p><hr /> <p> <a name="ref1">[1]</a> The OF is not a “regulated entity” as the term is defined in the Federal Housing Enterprises Financial Safety and Soundness Act as amended. See <a href="https&#58;//www.gpo.gov/fdsys/pkg/USCODE-2010-title12/html/USCODE-2010-title12-chap46-sec4502.htm">12 U.S.C. 4502(20)</a>. However, for convenience, references to the “regulated entities” in this AB should be read to also apply to the OF.</p><br><br> <table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"> <span style="color&#58;#444444;font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;">Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, the Office of Finance, Fannie Mae, and Freddie Mac.&#160; This advisory bulletin is effective immediately upon issuance.&#160; For the FHLBanks, contact Amy Bogdon, Associate Director for Regulatory Policy and Programs, Division of FHLBank Regulation, at <a href="mailto&#58;Amy.Bogdon@fhfa.gov">Amy.Bogdon@fhfa.gov</a>.&#160; For Fannie Mae and Freddie Mac, contact Annie Golden, Supervisory Risk Analyst, Office of Governance, Compliance, and Operational Risk at <a href="mailto&#58;Annie.Golden@fhfa.gov">Annie.Golden@fhfa.gov</a> or Brian Schwartz, Senior Risk Analyst, Office of Governance, Compliance, and Operational Risk at <a href="mailto&#58;Brian.Schwartz@fhfa.gov">Brian.Schwartz@fhfa.gov</a>.</span></td></tr></tbody></table> <br>8/4/2018 4:23:53 AMHome / Supervision & Regulation / Advisory Bulletins / Information Security Management Advisory Bulletin This advisory bulletin (AB) provides Federal Housing Finance Agency 410https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Classifications of Adverse Examination Findings19348All3/13/2017 4:00:00 AMAB 2017-01<p></p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>ADVISORY BULLETIN</p><p>AB 2017-01</p><p>CLASSIFICATIONS OF ADVERSE EXAMINATION FINDINGS</p></td></tr></tbody></table><p style="text-decoration&#58;underline;"> <strong style="font-size&#58;15pt;"> <em></em></strong> <br></p><p style="text-decoration&#58;underline;"> <strong style="font-size&#58;15px;"> <em>Purpose</em></strong></p><p>This advisory bulletin establishes classifications of adverse examination findings at Fannie Mae, Freddie Mac, the Federal Home Loan Banks (the regulated entities) and the Office of Finance. Adverse examination findings are typically risk management deficiencies, increases in risk exposures, or violations of laws, regulations, or orders that affect the performance or condition of a regulated entity or the Office of Finance. This advisory bulletin establishes classifications of examination findings that identify priorities for remediation by the regulated entities and the Office of Finance and guide FHFA in the development of supervisory strategies. This advisory bulletin supersedes and rescinds Advisory Bulletin 2012-01, <em>Categories of Examination Findings (April 2, 2012)</em>.</p><p> <br> </p><p style="text-decoration&#58;underline;"><strong><em>Communication of Adverse Examination Findings</em></strong></p><p>FHFA staff communicates examination findings to a regulated entity or the Office of Finance&#160;through the examination process. Reports of examination and other formal written&#160;communications summarize examination findings, assessments, and conclusions. FHFA&#160;provides a report of examination to the board of directors of the regulated entity or the Office of&#160;Finance. The board’s awareness of significant supervisory issues is critical because it is&#160;ultimately responsible for the organization’s safety and soundness.</p><p> <br> </p><p style="text-decoration&#58;underline;"><strong><em>Adverse Examination Findings Classifications&#58;</em></strong></p><p>When communicating adverse examination findings to the regulated entities and Office of&#160;Finance, examination staff will use the following classifications&#58;</p><div><ol><li><p><em>Matters Requiring Attention</em> (MRAs) fall into one of the following categories&#58;</p></li><ul><li><p>Critical supervisory matters (the highest priority) which pose substantial risk to the&#160;safety and soundness of the regulated entity or the Office of Finance. They may involve instances of noncompliance with laws or regulations of a serious nature or may be&#160;repeat criticisms that have escalated in importance because of insufficient attention or action by the regulated entity or Office of Finance.</p></li><li><p>Deficiencies which are supervisory concerns that FHFA believes could, if not corrected,escalate and potentially negatively affect the condition, financial performance, risk profile, operations, or reputation of the regulated entity or the Office of Finance.</p></li><li><p>The distinction between critical supervisory matters and deficiencies is the nature and severity of the issues requiring corrective action. Corrective action for an MRA must be articulated in written remediation plans and timeframes that reflect the significance of the findings.</p></li></ul><li><p><em>Recommendations</em> are advisory in nature and suggest changes to a policy, procedure,&#160;practice, or control that supervision staff believes would improve, or prevent deterioration&#160;in, condition, operations, or performance. Implementation is discretionary, although FHFA&#160;expects the regulated entity or Office of Finance to implement recommendations unless the&#160;regulated entity or Office of Finance can demonstrate through a reasoned assessment that&#160;the recommended action is unwarranted or is likely to be detrimental to condition,&#160;operations, or performance.</p></li><li><p><em>Violations</em> are matters in which an examination discloses noncompliance with laws, regulations, or&#160;orders. Violations require action by the regulated entity or Office of Finance to correct, if possible,&#160;the past noncompliance with requirements and to change a program or practice to prevent&#160;recurrence. The expected remediation timeframe depends on the seriousness of the actual or&#160;potential consequences of the violation and the time required for the regulated entity to implement&#160;required corrective action. A violation that may negatively affect the condition or practices of the&#160;regulated entity may also be identified as an MRA.</p></li><br><br></ol><div><p style="text-decoration&#58;underline;"><strong><em>Effective Date</em></strong></p><p>The adverse examination findings classifications defined in this Advisory Bulletin are effective for the&#160;2017 examination cycle for Fannie Mae and Freddie Mac. The adverse examination findings&#160;classifications are effective upon issuance of this Advisory Bulletin for all Federal Home Loan Bank&#160;and Office of Finance examinations not yet started.</p><p><br></p><table cellspacing="0" width="100%" class="ms-rteTable-default"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;">​Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on&#160;specific supervisory matters pertaining to the Federal Home Loan Banks, the Office of Finance, Fannie Mae, and Freddie Mac. Contact Louis Scalza, Associ<span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;color&#58;#444444;">ate Director, Division of Bank&#160;</span>Regulation at <a href="mailto&#58;Louis.Scalza@fhfa.gov">Louis.Scalza@fhfa.gov</a> or Jim Griffin, Associate Director, Division of Enterprise R<span style="font-family&#58;inherit;font-size&#58;inherit;font-weight&#58;inherit;color&#58;#444444;">egulation at <a href="mailto&#58;James.GriffinJr@fhfa.gov">James.GriffinJr@fhfa.gov</a>, with comments or questions pertaining to this bulletin.</span></td></tr></tbody></table><br></div> </div>3/13/2017 6:54:21 PMHome / Supervision & Regulation / Advisory Bulletins / Classifications of Adverse Examination Findings Advisory Bulletin This advisory bulletin establishes classifications of 150https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Internal Audit Governance and Function19308All10/7/2016 4:00:00 AMAB 2016-05<p></p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>ADVISORY BULLETIN</p><p>AB 2016-05</p><p>INTERNAL AUDIT GOVERNANCE AND FUNCTION</p></td></tr></tbody></table><p style="text-decoration&#58;underline;"> <strong style="font-size&#58;15pt;"><em></em></strong><br></p><p style="text-decoration&#58;underline;"> <strong style="font-size&#58;15px;"><em>Purpose</em></strong></p><p>This Advisory Bulletin (AB) applies to Fannie Mae and Freddie Mac (the Enterprises), the Federal Home Loan Banks (FHLBanks) (collectively, the regulated entities), and the FHLBanks' Office of Finance (OF).&#160; References to the regulated entities<a href="#1"><span style="text-decoration&#58;underline;">[1]</span></a> in this AB equally apply to the OF.&#160; This AB rescinds and replaces the following guidance&#58;</p><ul><li>2002-AB-05&#58;&#160; <em>Risk Assessment – Internal Auditor Independence;</em></li><li>1999-AB-10&#58;&#160; <em>Internal Audit Department External Reviews; </em>and</li><li>1996-AB-01&#58;&#160; <em>Examination Reviews of Audit Independence, Audit Committee Oversight of Selection, Compensation and Performance Evaluation of the Audit Director</em>.<br>&#160;<br>The Federal Housing Finance Agency (FHFA) requires the regulated entities to establish independent Internal Audit (IA) functions and expects those IA functions to provide timely feedback to management and assurance to audit committees on the effectiveness of regulated entities' internal controls, risk management, and governance.&#160; Timely and reliable information about elevated risks and internal control systems are important so that management can make prompt corrections.&#160; This AB sets forth FHFA guidance and supervisory expectations regarding&#58;</li></ul><ol><li>Audit Committee Oversight of the IA Function; &#160;</li><li>IA Independence and Objectivity; and</li><li>IA Attributes and Operations - including IA's role in reporting to the audit committee on the regulated entity's identification of significant risks and the existence and effectiveness of related internal controls.<br><br>A regulated entity's risk management framework generally comprises&#58;<br>&#160;</li></ol><ul><li>Units engaged in business operations, which take and manage risks and report directly to management;<a href="#2"><span style="text-decoration&#58;underline;">[2]</span></a></li><li>Independent risk management (including enterprise risk management, compliance, and other risk control functions), which monitors risk-taking activities, assesses risks and issues independent of business operations units, and is separate from first-line operating management but still under the direction and control of senior management; and</li><li>IA, which reports independently to the audit committee on risks, risk management, and the effectiveness of the regulated entity's system of internal controls.<br>&#160;</li></ul><p>This structure is commonly known as the &quot;three lines of defense,&quot; and together these elements should form a strong and effective risk management framework.&#160; The guidance in this AB is consistent with the three lines of defense framework and sets forth FHFA's expectation that IA, as the third line of defense, is independent, objective, and effective at identifying and informing management and the audit committee about the regulated entity's risks and related controls.</p><p>FHFA expects Chief Audit Executives (CAEs)<a href="#3"><span style="text-decoration&#58;underline;">[3]</span></a> to establish and audit committees to oversee IA functions that&#58;&#160; </p><ul><li>Are independent and objective;</li><li>Continuously monitor key activities and associated risks;&#160; </li><li>Adapt audit approaches and activities to address changes; and</li><li>Identify and communicate internal control deficiencies and emerging, previously unidentified, or undervalued risks (<em>i.e.</em>, risks that have become more significant) to the audit committee and management.&#160;&#160;&#160;&#160;<br><br>FHFA further expects audit committees, through their direction to and oversight of CAEs and IA functions, to validate that staffing and resource decisions take appropriate account of the risks at the regulated entity.&#160; FHFA expects that these decisions consider the entity's size, scale, complexity of operations, pace of innovation, and financial standing.</li></ul><p style="text-decoration&#58;underline;"> <strong style="font-size&#58;15px;"><em>Background</em></strong></p><p>FHFA recently published a revised rule, 12 CFR Parts 1236 and 1239, <em>Responsibilities</em><em> of Boards of </em> <em>Directors, Corporate Practices,</em><em> and Corporate</em><em> Governance</em><em> </em> <em>Matters</em>, that in part addresses regulated entities' audit committees' oversight of IA functions at the FHLBanks and the Enterprises.&#160; In addition, FHFA's standards for the FHLBanks and Enterprises specifically related to their audit committees and IA functions are in Standard 2 of the <em>FHFA</em><em> </em> <em>Prudential</em><em> </em> <em>Management</em><em> </em> <em>and Operations Standards</em><em> </em>(PMOS) (12 CFR Part 1236, Appendix).&#160; FHFA requirements relating to the OF's audit committee are set forth at 12 CFR 1273.9.</p><p>For the FHLBanks, the regulations prescribe specific details about the composition of the audit committee, the independence of its members, the content of the audit committee charter, and the duties and responsibilities of the audit committee, including its oversight responsibilities with respect to the IA function.<a href="#4"><span style="text-decoration&#58;underline;">[4]</span></a> </p><p>The OF is the FHLBanks' fiscal agent.&#160; It compiles and publishes the FHLBanks' Combined Financial Reports.&#160; The OF's audit committee composition, responsibilities, and charter are addressed in 12 CFR 1273.9 and are similar to those applicable to FHLBanks.&#160; The OF is not a Securities and Exchange Commission registrant.</p><p>For the Enterprises, regulations in 12 CFR 1239.5(b) require that all the board committees comply with requirements established by the New York Stock Exchange (NYSE) and that the audit committees also comply with the requirements of Section 301 of the Sarbanes-Oxley Act of 2002.<a href="#5">[5]</a>&#160; Relevant portions of the NYSE rules address the composition of the audit committee, the independence of its members, the general requirements for its charter, the responsibilities and duties of the audit committee (which include assisting the board in oversight of the IA function), and the need for audit committees to meet separately and periodically with management, CAEs, and independent auditors.<a href="#6">[6]</a>&#160; </p><p>Because the existing regulations and guidelines provide general requirements for oversight of the IA function, FHFA is issuing this AB to provide an additional level of detail on the responsibilities of audit committees in their oversight of the IA function, as well as on the independence and operation of the IA function.&#160; This guidance reflects FHFA's supervisory expectations that the audit committee actively and rigorously oversees the IA function and that the function is independent, objective, and effective.&#160; Further, this guidance is informed by FHFA's understanding of industry best practices for IA governance and operations at larger and more complex financial institutions.</p><p>In addition, the provisions of this AB are consistent with IA guidance issued by the federal banking regulatory agencies.&#160; That guidance includes the <em>Interagency Policy Statement on the Internal Audit Function and its Outsourcing</em> (March 17, 2003) and the Federal Reserve Board's <em>Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing</em> (January 23, 2013).&#160; This AB is also consistent with the <em>OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches; </em> <a href="https&#58;//www.federalregister.gov/regulations/1557-AD78/occ-guidelines-establishing-heightened-standards-for-certain-large-national-banks-federal-savings-as"> <span style="text-decoration&#58;underline;"> <em>Integration of 12 CFR Parts 30 and 170</em></span></a> (effective November 10, 2014) and with guidance in the October 27, 2009 FHFA <em>Examination for Accounting Practices</em> document, which remains in effect.&#160; </p><p style="text-decoration&#58;underline;"> <em style="font-size&#58;15px;"> <strong>Guidance</strong></em></p><p>&#160;&#160;&#160;&#160;&#160; <strong>I.</strong>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; <strong>Audit </strong> <strong>Committee Oversight of the </strong> <strong>IA Function</strong></p><p>The board of directors of each regulated entity is required to have an audit committee responsible for overseeing the IA function and an individual responsible for the IA function (referred to in this document as the CAE, regardless of that individual's title).&#160; The audit committee should have regular and open communications with the CAE.</p><p>The audit committee should direct the CAE to structure the IA function so that it is appropriately designed, independent, and objective, and so that it effectively identifies and assesses risks.&#160; The committee should confirm that the regulated entity's IA audit methodology is established and activities are conducted in accordance with appropriate professional standards, such as the Institute of Internal Auditors' <em>International</em><em> </em> <em>Standards for the Professional </em> <em>Practice </em> <em>of Internal Auditing</em><em> </em> <em>(IIA Standards). </em>&#160;The CAE should periodically review IA's audit methodology with the committee and the committee should approve the methodology and significant changes thereto.&#160; Further, the audit committee should oversee the process by which issues that are reported by IA are promptly addressed and satisfactorily resolved by management.</p><p>A.&#160;&#160;&#160; <em>Audit </em> <em>Committee</em><em> </em> <em>Charter</em><em> </em> <em>and the </em> <em>Internal</em><em> Audit </em> <em>Function</em></p><p>The audit committee is required to operate pursuant to a written charter,<a href="#7"><span style="text-decoration&#58;underline;">[7]</span></a> which should be reviewed at least annually by the audit committee and full board of directors (board), and be re-approved at least every three years by the board.<a href="#8"><span style="text-decoration&#58;underline;">[8]</span></a> &#160;</p><p>FHFA expects that, at a minimum, the audit committee charter will address the following matters regarding the IA function&#58;<a href="#9"><span style="text-decoration&#58;underline;">[9]</span></a></p><ul><li>CAE selection, evaluation, compensation, and where appropriate, replacement&#58;&#160; The charter should establish that the CAE may be hired or removed only with audit committee approval.</li><li>CAE reporting relationships&#58; &#160;The charter should establish that the CAE reports directly to the audit committee and is ultimately accountable to the audit committee and board of directors in order to maintain independence and objectivity.</li><li>CAE access to the audit committee&#58; &#160;The charter should provide the CAE with unrestricted access to the committee without the need for any prior management knowledge or approval and should establish executive session meetings with the CAE. </li><li>Annual review and approval of the Audit Plan&#58; &#160;The committee should confirm that the scope of IA's activities is appropriate and approve the annual Audit Plan and significant changes thereto.</li><li>Annual review and approval of the IA department's budget&#58; &#160;The committee should confirm that IA has sufficient resources to accomplish its objectives and approve the department's budget.<br>&#160;</li></ul><p>B.&#160;&#160;&#160; <em>Audit </em> <em>Committee Communication</em><em> with </em> <em>Internal</em><em> </em> <em>Audit</em></p><p>The audit committee and the CAE, including IA staff, should have unrestricted access to each other without prior management knowledge or approval. &#160;FHFA expects audit committee leadership to discuss audit matters with the CAE between and apart from regular audit committee meetings to stay current on IA operations, emerging risks, and other relevant matters. &#160;If significant issues arise in these discussions, they should be covered timely with the committee. &#160;Regular executive sessions with the CAE are essential to ensure open and complete communications. &#160;These executive sessions should be confidential, closed to management, and should be regularly scheduled.</p><p>An important component of effective communications between the CAE and audit committee are the regular written reports to the audit committee prior to each meeting and otherwise as warranted.&#160; Regular written reports from IA to the committee should generally address&#58;</p><ul><li>Audit Findings and Risk Analyses&#58;</li><ul><li>Audit reports focusing on less than satisfactory findings;</li><li>Significant and higher-risk issue follow-up information, including potential impact, aging, past-due status, root-cause analysis, progress towards remediating significant findings, and thematic trends;</li><li>Clear, timely, detailed reporting on open remediation plans, along with associated timetables that were agreed upon by stakeholders for significant open audit issues;</li><li>Information on significant industry and institution trends in risks and controls;&#160; </li><li>An assessment of risk management processes, including whether monitoring processes are appropriate and the effectiveness of management's self-assessment and remediation of identified issues; and</li><li>Aggregate information on the nature of significant trends, if any, in audit findings and observations that have been communicated to management but not detailed in reports to the audit committee.</li></ul><li>Audit Department Performance and Processes&#58;</li><ul><li>Audit coverage and completion versus the Audit Plan;</li><li>Budgeted versus actual audit hours;</li><li>Any updates or amendments to the Audit Plan, including support for changes;</li><li>Results of internal and external quality assurance reviews;</li><li>Updates on the status of IA annual goals and objectives;</li><li>Significant changes in audit staffing levels and the status of required staff training;</li><li>Information on major projects and initiatives; and</li><li>Any significant changes in IA processes, including a periodic review of key IA policies and procedures.</li></ul></ul><p>C.&#160;&#160;&#160; <em>Monitoring</em><em> and </em> <em>Performance </em> <em>Assessments</em></p><p>The audit committee should maintain a robust process for monitoring and, at least annually, formally assessing and evaluating CAE performance and the effectiveness of the IA function.&#160; The process should generally incorporate input from senior management and external auditors, from any outside peer reviews or assessments including regulatory examinations, and from the audit committee's own observations of and interactions with the CAE and IA staff.&#160; The audit committee should document its assessments of the CAE's and IA function's performance.</p><p>&#160;&#160;&#160; <strong>II.</strong>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; <strong>IA Independence and Objectivity</strong></p><p>A.&#160;&#160;&#160; <em>Conflicts</em><em> of </em> <em>Interest</em></p><p>Before appointing a CAE, and thereafter at least annually, the audit committee should confirm with the CAE and document whether the CAE has any actual or apparent conflicts of interest and should develop appropriate limits for the CAE's activities accordingly.&#160; If an audit committee considers a candidate for CAE with potential conflicts of interest, the conflicts, and any mitigating considerations, should be disclosed to and discussed by the audit committee and should be clearly documented in audit committee records.</p><p>Similarly, the CAE should regularly assess whether IA staff has actual, potential, or apparent conflicts of interest and appropriately restrict the activities of the staff to avoid those conflicts.&#160; At least annually, the CAE should confirm IA activities' independence to the audit committee.&#160; To help maintain the highest level of objectivity in the IA function, CAEs should consider rotating assignments for lead auditors and audit staff when feasible.</p><p>B.&#160;&#160;&#160; <em>Placement</em><em> of</em><em> </em> <em>IA</em><em> </em> <em>in the</em><em> Organization</em></p><p>Properly positioning the CAE and the IA function in a regulated entity's organization helps achieve objectivity and independence of the IA function and minimizes the opportunity for management to unduly influence, override, or limit IA activities or findings. &#160;The most structurally independent organizational arrangement for the IA function would have the CAE report directly to the audit committee regarding both audit issues and administrative matters.&#160; However, the CAE may report administratively to the Chief Executive Officer (CEO) if the audit committee so approves.<a href="#10">[10]</a></p><p>Board and senior management engagement and cooperation with IA are essential to its effectiveness.&#160; Boards and management should give IA full and unconditional access to any records and data, including access to management information systems and records and the minutes of all board and management committee meetings.&#160; FHFA expects IA to have access to management committee meetings and related materials in an ex-officio capacity, and any exceptions should be discussed and reconciled with the audit committee.&#160; Boards and management should also require timely remediation of audit issues.</p><ol><li> <em>Scope </em> <em>Limitations</em></li></ol><p>Should management attempt to hinder IA's objectivity and independence, for example, by restricting IA's access to records or personnel, IA staff should disclose to and discuss such attempts with the CAE. &#160;If the scope of an audit is affected by management's action, the limitation should be disclosed in the audit report and documented in the associated work papers.&#160; The CAE should report any attempts to hinder IA's objectivity and independence or limit the scope of an audit activity to the audit committee, generally through the chair, immediately for appropriate resolution.</p><p>D.&#160;&#160;&#160; <em>Internal</em><em> </em> <em>Audit </em> <em>Compensation</em><em> </em> <em>Arrangements</em></p><p>CAE compensation, which should be approved by the audit committee, should include an appropriate focus on performing audit activities and should only include incentives tied to actions and outcomes within the CAE's control and influence.&#160; Audit committees should not link CAE incentive compensation to the regulated entity's financial position, results of operations, achieving growth or volume targets, business unit compliance levels, or other measures or metrics that could impair or appear to impair IA independence or objectivity.&#160; CAE compensation should be reasonable and comparable with compensation for employment in other similar businesses (including publicly held financial institutions or major financial services companies) involving similar duties and responsibilities.&#160; To these ends, consulting with and obtaining input from a regulated entity's compensation committee may provide useful insights. </p><p style="text-align&#58;justify;">&#160; <strong>III.</strong>&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160; <strong>IA Attributes and Operations </strong> <br></p><p>A.&#160;&#160;&#160; <em>IA Function Attributes</em><br></p><p>1.&#160;&#160;&#160;&#160; <em>Internal Audit</em><em> </em> <em>Department</em><em> Charter</em></p><p>The IA department should have a written charter, which should be reviewed at least annually and be approved by the audit committee every three years or whenever substantive changes are made.&#160; The charter should define the purposes, authorities, and responsibilities of the IA function.&#160; The charter is the foundational document governing all IA activities.&#160; The charter should generally cover&#58;</p><p>&#160;</p><ul><li>IA Department Structure and Independence</li><ul><li>Indicate the IA function's placement within the regulated entity, the CAE's and IA function's authority, the CAE's functional reporting relationship to the audit committee, and the CAE's administrative reporting to senior management, if any;</li><li>Stipulate that IA has unrestricted access to the audit committee and authorize staff to access all regulated entity records and personnel needed to carry out their function; and</li><li>Require the IA function to maintain its independence and objectivity, particularly if IA provides non-attest services, such as consulting on internal controls design for information technology projects, performing financial reporting internal controls testing under management direction, and/or identifying potential operating inefficiencies for management.</li></ul><li>Applicable Standards and Codes of Ethics</li><ul><li>Identify standards applicable to the IA function and staff, including any professional standards, such as the Institute of Internal Auditors (IIA) Standards; and</li><li>Identify codes of ethics and requirements with which IA staff must comply.&#160; These may include both the regulated entity's own written code and one or more professional standard codes, such as the IIA's Code of Ethics.</li></ul><li>Reporting</li><ul><li>Indicate regular reports and items that the IA function is required to provide to the audit committee, including audit plans and annual budget and resource requirements; </li><li>Require timely reporting of significant deviations from approved plans; and</li><li>Require the IA function to monitor and report its activities and management's responses to IA findings, and track, assess, and regularly report on management's remedial actions regarding significant open compliance and regulatory examination issues.</li></ul><li>Performance Assessment and Quality Assurance</li><ul><li>Require the IA function to regularly assess its performance, including its performance relative to the Audit Plan;</li><li>Require the IA function to maintain internal quality assurance processes and programs, and document how weaknesses identified as a result of such processes and programs are addressed; and</li><li>Establish the timeframe for regular external quality reviews (at a minimum every five years) and require the IA function to document how any weaknesses, recommendations, or best practice suggestions identified as a result of such external quality reviews are addressed.</li></ul></ul><p>2.&#160;&#160;&#160;&#160; <em>IA</em><em> Staffing </em> <em>and</em><em> Professional </em> <em>Competence</em></p><p>The IA function needs sufficient staff with the requisite knowledge, skills, professional competence, resources, and stature within the regulated entity to assess the effectiveness of the regulated entity's controls and to credibly challenge management.</p><p>A regulated entity should have policies and procedures designed to reinforce that&#58;</p><ul><li>The IA function hires and maintains sufficient, technically competent staff to provide adequate audit coverage of the regulated entity's risks;</li><li>IA staff are provided appropriate training and professional development opportunities to enable them to remain current in both technical matters and professional standards; and</li><li>IA staff understand their duties, including the duty to report instances of non-compliance with laws, regulations, regulatory guidance, generally accepted accounting principles, professional standards, or the regulated entity's own policies to the CAE, management, and/or the audit committee, as appropriate. </li></ul><p>Collectively, IA staff, supplemented as needed by external resources, should have the knowledge and skills, as evidenced by education and audit, industry, and technical experience, to audit the entire regulated entity. &#160;Relevant and current professional certifications and licenses provide evidence of certain technical knowledge and skills.&#160; Generally, IA staff should audit business units or functions related to their areas of expertise.</p><p>At least annually, the CAE is expected to assess and document the knowledge, skills, and abilities of IA staff and compare those with both the Audit Plan and the universe of risks in the regulated entity. &#160;When assessing the knowledge, skills, and abilities of IA staff, the CAE may consider management feedback and internal or external quality assurance assessments.&#160; If the assessment identifies gaps within IA staff knowledge, skill, and abilities, the CAE should identify a means for filling those gaps, which might include staff training, hiring new staff, and/or using co-sourcing or outsourcing arrangements.&#160; The CAE should report the results of the assessment to the audit committee.</p><p>The CAE should confirm that he/she and all IA staff receive ongoing formal training.&#160; CAEs and staff should generally receive a minimum of forty hours of training per year. &#160;The IA function should have a process to evaluate and monitor the quality and appropriateness of training.&#160; In addition to formal training, IA staff may benefit from staff rotations, both within the IA department and with business and risk management functions, in order to provide IA staff with broader exposure to those functions and opportunities to develop additional areas of expertise.&#160; We encourage such rotations where they are feasible and can be done without compromising audit coverage and IA independence.</p><ol><li> <em>Co-sourcing</em><em> and</em><em> Outsourcing</em><em> </em> <em>Internal</em><em> </em> <em>Audit</em><em> </em> <em>Activities</em></li></ol><p>The IA function may be staffed using IA employees solely or by supplementing them with co-sourced or outsourced resources.<a href="#11"><span style="text-decoration&#58;underline;">[11]</span></a>&#160; Co-sourcing or outsourcing engagements are generally entered into when a regulated entity has insufficient staff to complete planned audits in a timely manner or needs technical expertise beyond that of the IA staff.&#160; The CAE retains responsibility for managing and providing the audit committee with reports to enable the audit committee to oversee all IA work, whether done by IA staff, co-sourced, or outsourced.</p><p>Co-sourcing is a partnership between IA and an outside vendor (auditor or firm) that works with and often alongside, but does not replace, existing IA staff. &#160;In co-sourcing, IA staff takes an active part in project planning and decision making and may participate in preparing final reports.&#160; Further, IA manages and/or works alongside the specially-skilled partner(s) or vendor(s).&#160; One objective of co-sourcing may be to transfer knowledge from the vendor to IA. &#160;In a co-sourcing arrangement, the vendor has a dual reporting relationship to IA and the vendor's own management.&#160; The CAE should require in associated contracts with co-sourced partners that work complies with applicable IA policies and standards and that the workpapers associated with the co-sourced work are retained by IA, not the vendor.&#160; </p><p>Under an outsourcing arrangement, the outside vendor (auditor or firm) is responsible for performing discrete IA engagements.&#160; The CAE maintains ownership of the entire IA function, including outsourced activities.&#160; When outsourcing audit work, the CAE should approve the scope of work and procedures to be performed. &#160;The CAE remains responsible for results of outsourced work, including findings, conclusions, and recommendations.</p><p>Before hiring a vendor to perform IA work, the CAE should confirm that&#58;&#160; the vendor and staff who will work on the engagement have the technical knowledge and ability to perform the work; the engagement will be effectively managed; the vendor's work will be well-documented; that all control weaknesses and other significant findings, including any apparent regulatory violations, will be timely communicated to the CAE and other stakeholders; and that the regulated entity has appropriate contingency plans should a vendor be released or terminated before completing the engagement.</p><p>Co-sourced and outsourced audit work should be completed pursuant to an engagement letter or similar agreement covering all significant aspects of the engagement.&#160; Such engagement letters should generally&#58;</p><ul><li>Describe expectations and responsibilities for the regulated entity and the vendor;</li><li>Define the work to be performed and the amount and timing of fees to be paid;</li><li>Describe the responsibilities for providing and receiving information, including the type and frequency of contract work status reporting to the CAE and the audit committee;</li><li>Describe the process for changing engagement terms, such as for expanding work if significant issues are identified;</li><li>Define conditions that would constitute default and remedies including canceling the engagement;</li><li>Establish who bears the cost of damages arising from errors, omissions, and negligence;</li><li>State that the vendor will not perform management functions, make management decisions, or act or appear to act in a capacity equivalent to that of a member of management or an employee and, if applicable, will comply with American Institute of Certified Public Accountants, Securities and Exchange Commission, Public Company Accounting Oversight Board, and other relevant professional standards, and other applicable regulatory guidance; and</li><li>For any engagements where reports or workpapers will be retained by the vendor&#58;</li><ul><li>Establish that reports created by the vendor during the engagement are the property of the regulated entity, that the regulated entity will be provided with any copies of the related workpapers it deems necessary, and that employees authorized by the regulated entity will have reasonable and timely access to the workpapers prepared by the vendor;</li><li>Specify the locations of reports and the related workpapers and the length of time vendors must maintain workpapers;</li><li>State that FHFA examination staff will have full and timely access to vendor-created IA reports and related workpapers. </li></ul></ul><p> <strong>&#160;</strong></p><p>B.&#160;&#160;&#160; <em>Internal Audit Operations</em><br></p><p>1.&#160;&#160;&#160;&#160; <em>Internal Audit Risk </em> <em>Assessments</em></p><p>Regulated entities' IA universes (comprising all auditable entities<a href="#12"><span style="text-decoration&#58;underline;">[12]</span></a> that are significant and subject to risks for which controls should be reviewed) should be regularly updated for organizational changes.&#160; Audit plans should be formulated to provide reasonable assurance that a regulated entity's system of controls is well-designed, operates effectively, and manages risks to an acceptable level.&#160; At least annually, IA should perform a risk assessment that includes reviews of its IA universe and Audit Plan to ensure that all auditable entities receive audit coverage over an appropriate period of time commensurate with associated risks.&#160; </p><p>The IA risk assessment should include four basic steps&#58; &#160;1) identify inherent risks to the regulated entity; 2) understand management's controls over those inherent risks; 3) assess residual or remaining risks to establish the frequency with which activities should be audited; and 4) prioritize auditable entities from the audit universe for audit coverage. &#160;The IA risk assessment should also consider multiple approaches.&#160; For example a &quot;top-down&quot; approach could complement a bottom-up approach.&#160; A top-down approach begins with identifying industry, environmental, and other enterprise-wide current or emerging risks.&#160; A bottom-up approach starts with the audit universe, then assesses and aggregates risks attributable to auditable entities within the audit universe.&#160; </p><p>The CAE should perform the risk assessment annually and should document the IA staff's understanding of the entity's significant business activities and the associated risks.&#160; To facilitate risk assessment and audit planning, IA should maintain (or regularly review if such an inventory is maintained by independent risk management) a complete inventory of all of the regulated entity's material processes, product lines, services, and functions, and then assess the risks, including emerging risks, associated with each.&#160; The risk assessment should consider and address risks to the regulated entity from all sources, both internal and external.&#160; These include, but are not limited to, credit, market, operational, governance, reputational, fraud, and compliance risk.&#160; The assessment should also consider thematic control issues and layered or aggregated risks that cross business units or lines of business.&#160; The risk assessment should analyze and prioritize key risks and risk management functions.</p><p>While the risk assessment should reflect IA's independent analysis, IA may consider all available information, for example, input from management self-assessments. &#160;While the formal risk assessment is performed annually, IA should update it as needed for major organizational changes, infrastructure changes, or changes in the regulated entity's external business or regulatory environment.</p><p>As underlying technology has advanced, more business entities are using &quot;Continuous Monitoring&quot; (CM) tools to continuously assess and provide management feedback on whether business processes are performing effectively and &quot;Continuous Auditing&quot; (CA) tools, which allow IA to gather and review control-related business process data. &#160;</p><p>FHFA expects IA functions to employ formal CA and/or CM practices.&#160; CA and CM can be conducted by IA staff and/or through technological tools.&#160; In either case, it should be done pursuant to written policies and procedures that support consistent and comparable results.&#160; CA and CM should be documented through business metrics, management reporting, reports to audit committees, and through any related adjustments made to audit risk assessments and plans.&#160; IA should continuously monitor key business metrics and performance indicators. &#160;IA should work to understand changes and their drivers in order to help identify potential audit issues and changes in the business environment and to adjust risk assessments and audit plans, if needed, in a timely manner.</p><p>2.&#160;&#160;&#160;&#160; <em>Internal</em><em> </em> <em>Audit</em><em> </em> <em>Planning</em></p><p>At least annually, IA should review and update the Audit Plan.&#160; The Audit Plan should be based on the risk assessment and should consider key risks and related controls within each significant business and functional activity, the timing and frequency of planned IA work, and a resource budget. &#160;During the planning process, IA should analyze the regulated entity's specific risks, mitigating controls, and level of residual risk. &#160;The CAE should have a contingency plan to mitigate any significant disruption to audit coverage, particularly for high-risk areas. &#160;Documentation supporting the Audit Plan should reference the IA program that describes the objectives of the audit work and the audit work expected to be performed during each IA activity.</p><p>The audit planning process should include evaluating management's root cause and lessons learned analyses performed after a significant adverse event.&#160; IA should consider management's analysis of reasons for the adverse event and whether it resulted from a control breakdown or failure.&#160; IA should confirm that management correctly identified the measures needed to prevent a similar event from occurring in the future.&#160; In certain situations, IA should conduct its own lessons learned analysis outlining the remediation procedures necessary to detect, correct, and/or prevent future internal control breakdowns (including improvements in IA processes).</p><p>The audit planning process should also be designed to inform the board's responsibilities for risk oversight to include&#58;&#160; overseeing the regulated entity's operational and risk management; remaining informed about the regulated entity's operations and condition; and remaining informed about the entity's risk exposures and senior management's actions to address them. &#160;The Audit Plan should be designed to provide the audit committee with the depth and breadth of IA assurance it needs to inform those responsibilities.</p><p>3.&#160;&#160;&#160;&#160; <em>Internal Audit Coverage of Risk Management and Regulatory Compliance Programs</em></p><p>FHFA regulations require the Enterprises and FHLBanks to appoint a Chief Risk Officer (CRO) to implement and maintain appropriate enterprise-wide risk management practices and a Compliance Officer (CO) to head a compliance program designed to assure that they comply with applicable laws, rules, regulations, and internal controls.&#160; Both officers should regularly report to the board (in addition, the CRO reports to the Risk Committee) and to the CEO.&#160; These functions are part of the regulated entity's second line of defense, its independent risk management function, and are &#160;separate from first-line operating management but still under the direction and control of senior management.</p><p>IA is the regulated entity's third line of defense.&#160; IA should, through its risk assessment and auditing processes, provide the audit committee with independent assurance that enterprise risk management and compliance programs are working effectively, that those programs have identified and reported timely enterprise and compliance risks, and that significant risks are managed to an acceptable level.&#160; </p><p>4.&#160;&#160;&#160;&#160; <em>Internal Audit Frequency</em></p><p>Internal audits should generally cover the entire audit universe over a maximum four year period. &#160;High-risk areas should generally be audited annually, and moderate- and low-risk audits should be scheduled every 12 to 48 months (or one to four years) based on a risk assessment and ranking that is regularly reviewed and updated.&#160; FHFA expects that IA will weigh both inherent and residual risk when deciding on how frequently to audit an area and in considering the audit approach, including the nature and extent of testing. &#160;The CAE should confirm that higher level risks, including thematic trends and control issues, are not underreported due to being separately captured in moderate- or low-risk audits.<a href="#13"><span style="text-decoration&#58;underline;">[13]</span></a>&#160; Audit plans should be dynamic and include time to expand audit work when unexpected or higher risks are identified through CM activities, scheduled audits, or otherwise.&#160; The CAE should regularly report significant changes to the audit universe or audit plans to the audit committee, along with an analysis supporting the changes.</p><p>5.&#160;&#160;&#160;&#160; <em>Internal</em><em> </em> <em>Audit</em><em> </em> <em>Reports</em></p><p>IA reports should generally present the purpose, scope, objectives, and results of the audit, including findings, conclusions, observations, and/or recommendations however styled.&#160; Final reports should also document management's response to findings.&#160; IA should maintain work papers that document the work performed and support the audit report.</p><p>IA should establish and implement a documented methodology that employs appropriate criteria to prioritize and rank audit issues.&#160; The criteria should be sufficiently objective to promote consistent application of judgment and appropriate prioritization of audit issue severity.&#160;&#160;&#160;&#160; </p><p>6.&#160;&#160;&#160;&#160; <em>Internal Audit Issues Monitoring and Tracking</em></p><p>Audit committees should regularly receive clear, timely, and detailed reports on significant open violations, findings, weaknesses, and other issues, regardless of their original source.&#160; Issues that FHFA requires to be reported to audit committee chairs, whether by FHFA or regulated entities' management, including all FHFA Matters Requiring Attention (MRAs), should be presumed significant.&#160; Issues may originate from IA audits and reviews, external audit, regulatory examinations, management self-identification, outside consultants' work, and other sources.&#160; IA should also verify that significant risks and/or control deficiencies identified by first- and second-line of defense units, external auditors, or other parties are adequately assessed and communicated to management and board stakeholders.&#160; To facilitate the timely and effective remediation of open audit issues, IA and management or the board (as warranted) should agree on a resolution date and on interim milestones, if appropriate.&#160; </p><p>IA should establish standards for performing timely and appropriately rigorous validation work once management asserts that remediation of significant audit issues (to include MRAs) has occurred.&#160; When management or the board indicates that they have performed the required remediation, IA should validate that revised processes and controls are in place, operating, and sustainable before closing the issue.&#160; The level of validation work that IA should perform to close an issue will vary based on the issue's risk, complexity, and associated interdependencies.&#160; For higher-risk issues, IA should verify that sufficient testing is performed over an appropriate period of time to validate that the issue is sustainably resolved. </p><p>IA reports should include key information about open remediation plans and associated timetables agreed on by stakeholders.&#160; Reports should highlight significant issues with delayed remediation, including those for which management has made agreed-upon corrective steps and/or control design changes that are pending validation, until testing is complete.&#160; These steps should help to verify that control changes are effective and sustainable and to identify issues for which the planned remediation may need to be amended.</p><p>Regulated entities should establish and implement policies and/or procedures as appropriate for documenting, monitoring, tracking, and reporting on management's acceptance of risks for any management decision not to remediate audit issues, or for time extensions to perform agreed-upon remediation.&#160; If such accepted risks are individually or in aggregate more than insignificant, the CAE should consult with senior management and the audit committee as appropriate.</p><p>7.&#160;&#160;&#160;&#160; <em>Quality</em><em> Assurance </em> <em>Program</em></p><p>An effective IA Quality Assurance Program (QAP) should be implemented to help minimize audit risk, including the risk that an audit reaches inaccurate conclusions.&#160; A QAP should include regular internal processes and reviews, as well as an external Quality Assurance Review (QAR) to be performed at least every five years.&#160; </p><p>The internal QAP review should include rigorous reviews by IA management and/or peer reviews of reports and work papers for clarity, adherence to IA policies and procedures, and consistency with relevant professional standards.&#160; The QAP should help confirm that IA policies, procedures, and processes comply with applicable regulatory and industry guidance; are appropriate for the size, complexity, and risk profile of the regulated entity; are updated to reflect changes to internal and external risk factors, emerging risks, and improvements in industry; and are followed consistently.&#160; QAP reviews and self-assessments may be activity driven or ongoing.&#160; Gaps identified should be documented and addressed timely.&#160; The CAE should report the results of the QAP to the audit committee at least annually and results from the QAR and any other external review, as received.</p><p> <a name="1" id="1"><span style="text-decoration&#58;underline;">[1]</span></a> The OF is not a &quot;regulated entity&quot; as the term is defined in the Federal Housing Enterprises Financial Safety and Soundness Act as amended. &#160;However, for convenience, references to the &quot;regulated entities&quot; in this AB should be read to also apply to the OF.</p><p> <a name="2" id="2"><span style="text-decoration&#58;underline;">[2]</span></a> &quot;Management&quot; as the term is used in this guidance generally comprises the CEO and subordinate managers, who engage in business operations.</p><p> <a name="3" id="3"><span style="text-decoration&#58;underline;">[3]</span></a> As used in this guidance, the term &quot;Chief Audit Executive&quot;&#160;means the individual responsible for the internal audit function at a regulated entity.</p><p> <a name="4" id="4"><span style="text-decoration&#58;underline;">[4]</span></a> 12 CFR 1239.32.</p><p> <a name="5" id="5"><span style="text-decoration&#58;underline;">[5]</span></a> Section 301 of the Sarbanes-Oxley Act does not directly address the audit committee's oversight of the IA function.</p><p> <a name="6" id="6"><span style="text-decoration&#58;underline;">[6]</span></a> NYSE Listed Company Manual, Rule 303A.07.</p><p> <a name="7" id="7"><span style="text-decoration&#58;underline;">[7]</span></a> 12 CFR 1239.5(c).</p><p> <a name="8" id="8"><span style="text-decoration&#58;underline;">[8]</span></a> For the FHLBanks, annual review by the committee and the full board, and re-approval by the board at least every three years are required by regulation.&#160; 12 CFR 1239.32(d).</p><p> <a name="9" id="9"><span style="text-decoration&#58;underline;">[9]</span></a> For the FHLBanks, these items, except audit committee approval of IA department budget approval, are regulatory requirements. &#160;12 CFR 1239.32(d) (3), (e) (3).</p><p> <a name="10" id="10"><span style="text-decoration&#58;underline;">[10]</span></a> 12 CFR Part 1273.9 (b) (5), which relates to the OF only, states &quot;the internal auditor shall report directly to the Audit Committee and administratively to executive management.&quot;</p><p> <a name="11" id="11"><span style="text-decoration&#58;underline;">[11]</span></a> Co-sourced and outsourced audit engagements should be awarded in compliance with the requirements for equal opportunity in employment and contracting under applicable provisions of the Minority and Women Inclusion and Diversity at Regulated Entities and the Office of Finance regulation, 12 CFR 1207.21.</p><p> <a name="12" id="12"><span style="text-decoration&#58;underline;">[12]</span></a> Auditable entities collectively comprise the potential audit universe and may represent business units, departments, processes, general ledger accounts, or other functions at a regulated entity that are suitable for audit.</p><p> <a name="13" id="13"><span style="text-decoration&#58;underline;">[13]</span></a> For example, if a regulated entity relies on user-developed spreadsheets across its operations, and IA has identified high level or thematic control issues regarding such spreadsheets, the incremental spreadsheet control risk in moderate- or low-risk auditable entities should be aggregated, addressed, and reported appropriately.</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;">Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, the Office of Finance, Fannie Mae, and Freddie Mac.&#160; This Advisory Bulletin is effective January 1, 2017. &#160;Contact David R. Poston, Deputy Chief Accountant, Office of Chief Accountant at <a href="mailto&#58;David.Poston@fhfa.gov"> <span style="text-decoration&#58;underline;">David.Poston@fhfa.gov</span></a> or 202-649-3467, or Nicholas J. Satriano, Chief Accountant, at <a href="mailto&#58;Nicholas.Satriano@fhfa.gov"> <span style="text-decoration&#58;underline;">Nicholas.Satriano@fhfa.gov</span></a> or 202-649-3450, with comments or questions pertaining to this bulletin.</td></tr></tbody></table><p>&#160;</p>11/29/2016 6:25:28 PMHome / Supervision & Regulation / Advisory Bulletins / Internal Audit Governance and Function Advisory Bulletin This Advisory Bulletin (AB) applies to Fannie Mae and Freddie 252https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Data Management and Usage19295Fannie Mae & Freddie Mac9/29/2016 4:00:00 AMAB 2016-04<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p>​<strong>ADVISORY BULLETIN</strong></p><p> <strong>AB 2016-04</strong></p><p> <strong>DATA MANAGEMENT AND USAGE<span aria-hidden="true"></span></strong></p></td></tr></tbody></table><p style="text-decoration&#58;underline;"><strong><em><br></em></strong></p><p style="text-decoration&#58;underline;"> <strong><em>Purpose</em></strong></p><p>This advisory bulletin communicates to Fannie Mae and Freddie Mac (the Enterprises) the Federal Housing Finance Agency’s (FHFA) supervisory expectations for the management of data, including expectations for data governance, architecture, quality, and security. Strong data management supports safe and sound operations by enabling an Enterprise to provide secure, accurate, and accessible data to meet business needs and for use in risk management and compliance processes.</p><p style="text-decoration&#58;underline;"> <strong><em>Background</em></strong></p><p>Data management is the development, implementation, and enforcement of policies, procedures, and standards throughout the data lifecycle that establish how data are defined, shared, stored, protected, retrieved, and purged. Strong data management enables an Enterprise to reduce its exposure to operational, financial, and reputational risks. Consistent data management methods can reduce the likelihood of operational errors, adverse business decisions, and financial loss.</p><p>FHFA’s general standards for safe and sound operations are set forth in the Prudential Management and Operations Standards (PMOS) at 12 CFR Part 1236. Standard 1 (Internal Controls and Information Systems) articulates the considerations for the board of directors and management to evaluate when establishing internal controls and information systems. FHFA expects the Enterprises to provide relevant, accurate, and timely information to decision-makers and personnel in risk management and compliance functions; to establish and test contingency arrangements for information systems storing data; and to communicate policies and procedures to all personnel with regard to their respective duties and responsibilities. Effective data management includes compliance with applicable laws and regulations and adherence to FHFA supervisory guidance.</p><p style="text-decoration&#58;underline;"> <strong><em>Guidance</em></strong></p><p>FHFA expects each Enterprise to have enterprise-wide data management policies, procedures, and standards. Data architecture should be integrated and provide scalable accessibility and effective utilization across the Enterprise as appropriate. Each Enterprise should establish data quality requirements so that data used for decision-making are relevant, accurate, complete, timely, and consistent. Data management practices should allow users to identify and access appropriate data for business, risk management, and compliance activities and functions. FHFA expects the confidentiality, integrity, and availability of data to be consistent with sound business practices and regulatory requirements.</p><p>Fundamental requirements in the following areas are detailed below&#58;</p><ul><li>Data Governance<br></li><li>Data Architecture<br></li><li>Data Quality<br></li><li>Data Security<br></li><li>Data Usage<br></li></ul><p> <em>Data Governance</em></p><p>Data governance provides the necessary framework to control and support data used in decision-making and risk management. Each Enterprise should establish a data strategy that supports organizational goals through data management, and effective policies, procedures, and standards to maintain the confidentiality, integrity, and availability of Enterprise data throughout the data lifecycle. Policies, procedures, and standards should cover, at a minimum, data architecture, data quality, data security, and data usage. Policies and procedures should establish data requirements; controls for assessing and monitoring data; assignment and coordination of individuals’ roles and responsibilities, including their authority to manage the data; and&#160;management support and accountability of data-related issues. Policies, procedures, and standards should be reviewed and updated at least annually and aligned with legal and regulatory requirements for records management.</p><p>In order to assure data oversight and accountability, an Enterprise should designate individuals to be responsible for managing data and representing the interests of relevant stakeholders. Defined responsibilities should include, at a minimum, identifying and monitoring controls for processing or storing data; managing content of both structured and unstructured data; and controlling data from internal and external sources. A senior-level management official should be responsible for and report on effective data management practices for each business unit or control function.</p><p>The Enterprises should monitor and enforce data policies, procedures, and standards. Instances of non-compliance should be identified and tracked through to resolution. Metrics to measure and communicate the effectiveness of the Enterprise’s data strategy should be developed and adopted.</p><p> <em>Data Architecture</em></p><p>Data architecture should define and support data requirements and formats, direct the integration of data, and align data investments with the data strategy. An Enterprise should establish data standardization requirements across the organization that are consistent with the data strategy and that reflect the needs of business and risk management functions. Adherence to those requirements should be confirmed throughout the data lifecycle. Each Enterprise should deploy data in a way that reduces redundancy and encourages the use of a single-source system of record for each element. Data should be maintained or archived pursuant to business, legal, and risk requirements to allow for recovery or evaluation of historical data outputs, whether stored in an Enterprise’s data center or in a hosted cloud environment. The use of data virtualization should consider appropriate data synchronization and integration.</p><p>Data models define the Enterprise’s technical requirements for data and the structure to support those requirements. Data modeling, in conformance with established standards, can support reliable data quality and reduce disparate data. In order to standardize data and track the flow of data, both business and technical metadata should be used to describe data characteristics for purposes of organization, collection, storage, and usage. Metadata can improve business collaboration, integration, and efficiency by providing organizational understanding of data and the business processes used by the Enterprises.</p><p> <em>Data Quality</em></p><p>An Enterprise should take steps designed to ensure that data are of an acceptable quality to meet business requirements and control function needs. Data should be sufficiently accurate, complete, timely, and consistent to enable the Enterprise to generate reliable results, such as for reporting and risk modeling. An Enterprise should have comprehensive data quality management policies and procedures that include outlining roles and responsibilities regarding the collection, dissemination, and maintenance of data, both created and acquired; defining data quality requirements for created data; defining data quality checks for acquired data; and requiring a mechanism for assessing and verifying data quality, data quality metrics, and data conformance requirements.</p><p>Data should be validated at different points in the lifecycle to assure it meets integrity requirements. An Enterprise should have a methodology for identifying and addressing data inconsistencies, problems, and defects. An Enterprise should design and implement controls intended to ensure quality of data in use, at rest, and moving through applications or databases. Data standardization should consider the relationships of data and how to maintain integrity of data from multiple sources. Tools and techniques should be employed to assure conformity to data quality standards. Data used for decision making should have auditable trails to confirm the quality of data.</p><p> <em>Data Security</em></p><p>Data must be protected against unauthorized and inappropriate use, modification, disclosure, and purging. Each Enterprise should have policies and procedures for monitoring and managing data security that are intended to ensure confidentiality, integrity, and appropriate availability of data. This includes the creation and maintenance of data classifications and controls consistent with the internal standards established in data governance, data architecture, and data quality management.</p><p>Data security management should contain specific security requirements established for categories of data, such as personally identifiable information, intellectual property, and non-public information. Data security controls should be commensurate with the security requirements. Each Enterprise should have procedures and processes to ensure that the controls are documented, reviewed, and tested related to those requirements. In order to secure data, an Enterprise should maintain a comprehensive inventory of databases and contents to identify and protect their data and dataflow. An Enterprise should identify and implement encryption controls that are consistent with industry standards and supervisory guidance.</p><p> <em>Data Usage</em></p><p>Data management enables relevant data to be used by an Enterprise to meet its business needs; manage business risks; and support risk management and compliance functions. Enterprise data, whether generated internally or acquired, should be available to business and risk functions to provide comprehensive, clear, and useful outputs. Reporting or risk modeling processes should accurately aggregate data and be able to be reconciled and validated. Reliance on manual processes to manipulate data should be limited to reduce the possibility of human error. Each Enterprise should establish procedures intended to ensure that reports conveying the same data are consistent enterprise-wide. Sufficient controls should be implemented to appropriately protect the confidentiality of distributed information derived from data.</p><p style="text-decoration&#58;underline;"> <strong><em>Related Guidance</em></strong></p><p> <em>Information Technology Investment Management, </em>Federal Housing Finance Agency Advisory Bulletin AB-2015-06, September 21, 2015.</p><p> <em>Cyber Risk Management Guidance, </em>Federal Housing Finance Agency Advisory Bulletin AB-2014-05, May 19, 2014.</p><p> <em>Operational Risk Management, </em>Federal Housing Finance Agency Advisory Bulletin AB-2014-02, February 18, 2014.</p><p> <em>Model Risk Management Guidance, </em>Federal Housing Finance Agency Advisory Bulletin AB- 2013-07, November 20, 2013.</p><p>12 CFR Part 1236 Prudential Management and Operations Standards, June 8, 2012.</p><p> <em>Safety and Soundness Standards for Information, </em>Office of Federal Housing Enterprise Oversight Policy Guidance PG-01-002, December 19, 2001.</p><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;">Advisory bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, the Office of Finance, Fannie Mae, and Freddie Mac. This advisory bulletin is effective immediately upon issuance. Contact Kari Walter, Senior Associate Director, Office of Governance, Compliance, and Operational Risk at <a href="mailto&#58;Kari.Walter@fhfa.gov">Kari.Walter@fhfa.gov</a> or Annie Golden, Supervisory Risk Analyst, Office of Governance, Compliance, and Operational Risk at <a href="mailto&#58;Annie.Golden@fhfa.gov">Annie.Golden@fhfa.gov</a> with comments or questions pertaining to this bulletin. </td></tr></tbody></table>9/29/2016 10:04:40 PMHome / Supervision & Regulation / Advisory Bulletins / Data Management and Usage Advisory Bulletin This advisory bulletin communicates to Fannie Mae and Freddie Mac (the 237https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx
Fraud Risk Management19303Fannie Mae & Freddie Mac9/29/2015 4:00:00 AMAB 2015-07<table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> <strong>ADVISORY BULLETIN&#160;</strong><br></p><p> <strong>AB 2015-07</strong><br></p><p> <strong>FRAUD RISK MANAGEMENT&#160;&#160;</strong></p></td></tr></tbody></table><p> <span style="text-decoration&#58;underline;"><strong><em>Purpose</em></strong></span></p><p>This Advisory Bulletin communicates to Fannie Mae and Freddie Mac (the Enterprises) the Federal Housing Finance Agency's (FHFA) supervisory expectations for fraud risk management, including the establishment and maintenance of internal controls to prevent, deter, and detect fraud or possible fraud.&#160; </p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Background</em></strong></span></p><p>Effective fraud risk management is essential to the safe and sound operations of the Enterprises.&#160; Potential exposure to the risk of fraud exists in Enterprise business operations.&#160; For example, single-family and multifamily mortgage operations have exposure to the risk of fraud associated with activities of borrowers, loan originators, mortgage brokers, loan sellers, attorneys, servicers, appraisers, property managers, and third parties engaged to perform functions relating to loans or the collateral securing the loans.&#160; Capital markets activities may expose an Enterprise to fraud committed by counterparties involved in securitizations.&#160; The Enterprises also have potential exposure to fraud risk resulting from insider malfeasance.<a id="ref1" href="#1"><font color="#0066cc">[1]</font></a></p><p>Fraud may subject an Enterprise to financial, operational, legal, or reputational harm.&#160; For example, mortgage fraud may result in financial losses for an Enterprise if a seller does not have the financial ability and willingness to honor its obligation to repurchase fraudulent loans.&#160; Other types of fraud may result in financial losses if the fraud is not fully covered by fidelity bond insurance.&#160; An Enterprise may be exposed to litigation or civil money penalties for failure to comply with fraud-related statutes and regulations.&#160; Further, fraud may cause reputational risk if an Enterprise's operations are used or perceived to be used to perpetrate fraud. &#160;While experience demonstrates that fraud may not be prevented completely, it may be deterred or reduced through appropriate anti-fraud procedures that are maintained and reviewed over time.</p><p> <span style="text-decoration&#58;underline;">Examples of Fraud</span> </p><p>The Enterprises may encounter various types of fraud.&#160; For example, mortgage fraud may occur in mortgage loans purchased for an Enterprise's own portfolios or for securitization.&#160; Fraud may be committed as part of the origination, underwriting, or closing process or in conjunction with the servicing of a loan on behalf of an Enterprise.&#160; </p><p>Mortgage-related fraud may be committed by various participants in the origination, selling, and servicing of mortgage loans.&#160; Borrowers may provide false identification, employment, or income information to obtain approval for a mortgage loan.&#160; Parties involved in loan originations, such as appraisers, attorneys, and title agencies, may engage in misrepresentation of collateral or performance of contracted responsibilities, or through diversion of funds.&#160; Sellers of mortgage loans may misrepresent underwriting standards or deliver a single mortgage loan multiple times.&#160; Servicers may divert custodial or other funds received to accounts used for their own purposes.&#160; </p><p>Mortgage-related fraud may be part of larger schemes that include originating mortgage loans through the use of straw borrowers, illegal property flipping, double-pledging of collateral, and builder bailouts.&#160; Post-origination mortgage fraud may target financially distressed borrowers to steal equity in or secure title to a property through fraudulent workout schemes or short sales.&#160; </p><p>Insider fraud (<em>i.e.</em>, fraud involving current or former employees and contractors) may include accounting fraud, payroll fraud, embezzlement, or collaboration with external parties in a fraud against an Enterprise or other financial institution.&#160; </p><p>The wide variation of possible fraudulent activities creates a broad range of fraud risk; therefore, an Enterprise should implement a risk-based approach to fraud risk management that takes into account the scope and potential harm to the Enterprise of possible fraud.</p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Guidance</em></strong></span></p><p>This Advisory Bulletin describes FHFA's expectations for the oversight of fraud risk management, key elements of a risk-based approach to fraud risk management, and the training and independent testing functions that should accompany an Enterprise's fraud risk management approach. &#160;As described below, FHFA expects the Enterprises will take steps to manage fraud risk in all business lines and operational functions.<a href="/SupervisionRegulation/AdvisoryBulletins/Pages/Fraud-Risk-Management.aspx#footnote2"><font color="#0066cc">[2]</font></a></p><p> <span style="text-decoration&#58;underline;">Oversight of Fraud Risk Management</span></p><p>Each Enterprise's board of directors has a responsibility to ensure that the Enterprise's management is committed to effective fraud risk management and that the Enterprise has appropriate policies for preventing and detecting fraud or possible fraud.&#160; The Enterprise should have documented processes in place to appropriately inform the board about fraud risk management activities and significant instances of fraud or possible fraud.&#160; Fraud risk should be included in the risk management policies that are approved by the board or a committee thereof, and reviewed on a periodic basis.&#160; </p><p>The policies should establish the Enterprise's standards and reporting processes relating to fraud and possible fraud.&#160; The policies should designate the management official(s) responsible for the oversight of fraud risk management and define specific roles and responsibilities for personnel with fraud risk management responsibilities.&#160; </p><p>Enterprise management should develop and oversee the implementation of business unit policies and procedures to implement and support anti-fraud and regulatory reporting programs and controls consistent with the Enterprise's policies.&#160; Business unit policies should detail the Enterprise's fraud risk management processes, including risk assessments, internal controls, training, independent testing, fraud response protocols, and board and senior management reporting.&#160; </p><p>The Enterprise should provide for appropriate coordination across business lines and functions of fraud risk management activities and resources.&#160; Areas of coordination may include risk assessments, oversight of the design and implementation of anti-fraud and regulatory reporting programs and controls, and reporting to senior management and the board or a committee thereof, as appropriate, the results of the Enterprise's fraud risk management efforts.&#160; </p><p> <span style="text-decoration&#58;underline;">Elements of Fraud Risk Management</span></p><p>Effective fraud risk management should include&#58;</p><ul style="list-style-type&#58;disc;"><li>Ongoing risk assessments to determine areas of heightened risk for possible fraud and adequacy of the control environment. </li><li>Risk-based internal controls that are designed to prevent and deter fraud from occurring.</li><li>Risk-based internal controls that are designed to detect fraud when it occurs.</li><li>Processes for responding to and reporting fraud or possible fraud.</li></ul><p> <em>Risk Assessments</em> </p><p>An Enterprise should have an ongoing process for performing risk assessments to identify and assess risk of fraud and to evaluate controls in place to mitigate risk.&#160; Risk assessments should consider factors such as products, services, customers, counterparties, and geographic locations, and should cover business units and operational and control functions.&#160; Fraud risk assessments should provide the basis for internal controls to prevent and deter fraud and to detect fraud or possible fraud.&#160; An Enterprise should have in place a process for periodically updating fraud risk assessments and making associated changes to internal controls.&#160; </p><p> <em>Fraud Prevention and Deterrence</em></p><p>Each Enterprise should maintain effective internal controls designed to prevent and deter fraud.&#160; The type and scale of internal controls will vary depending on the operational area, product type, and fraud risk.&#160; Types of controls include segregation of duties; a system of proper authorizations; physical safeguards to prohibit access to assets and records; a system of independent checks; and records to provide an audit trail.&#160; </p><p>Internal controls should be clearly documented and subject to ongoing review to determine whether they are followed, are effective, and reflect current industry sound practices.&#160; With regard to potential insider fraud, policies related to the consequences of committing or concealing fraud should be communicated clearly to all personnel.&#160; </p><p> <em>Fraud Detection </em></p><p>The complexity and extent of the internal controls for detection of different types of potential fraud in different business activities should be based on the fraud risk assessment, in light of the size, structure, risks, complexity, and vulnerability to fraud of the particular activity.&#160; Fraud detection controls and tools may include, but are not limited to, internal and external tip hotlines; whistleblower vehicles; audits; quality control reviews; and analysis of financial, operational, and transaction data.&#160; Detection methods may involve a review of transactions for possible fraud and, where possible, should include a review for red flags that indicate fraud or possible fraud.&#160; Examples of red flags may include patterns of inconsistency in borrower information, loan documentation, servicer records, and significant servicer performance issues, as well as adverse public information. &#160;Additionally, an Enterprise may identify individuals and firms known to have been involved in fraud. &#160;Fraud detection procedures should document when findings will warrant the expansion of the scope of review consistent with current risk assessments.</p><p>Each Enterprise should have adequate information systems to timely capture information needed to detect fraud or possible fraud and comply with regulatory reporting requirements.&#160; </p><p> <em>Fraud Response and Reporting</em></p><p>Each Enterprise should have documented processes for evaluating and responding to various types of possible fraud and for complying with regulatory reporting requirements.&#160; An Enterprise should take steps to make its employees and third parties aware of methods by which they may report possible fraud relating to Enterprise operations.&#160; Furthermore, an Enterprise should ensure that its procedures and resources are sufficient to timely investigate possible fraud.&#160; </p><p>An Enterprise's process should address investigation procedures, protocols for gathering evidence, decision-making authority, internal and regulatory reporting, escalation protocols, remedial action, and disclosure.&#160; Individuals assigned to investigations should have the necessary training, authority, and skills to evaluate possible fraud and determine the appropriate course of action.&#160; The process should include a tracking or case management system(s) where allegations of fraud are logged.&#160; As appropriate, an Enterprise's procedures should also include a review of incidents to determine if improvements need to be made to processes or internal control systems to prevent future incidents of possible fraud.&#160; </p><p>Each Enterprise should have effective, risk-based processes to timely investigate potential fraud to minimize and prevent loss.&#160; Procedures should be in place for reporting investigation findings regarding fraud or possible fraud in accordance with regulatory requirements and Enterprise policy.&#160; </p><p> <span style="text-decoration&#58;underline;">Training</span></p><p>Each Enterprise should promote fraud awareness by conveying the importance of fraud prevention and penalties for fraud to all employees. &#160;Each Enterprise should provide and document adequate fraud risk management training that is risk-based and commensurate with trainees' roles and specific responsibilities.&#160; Training should include instruction on regulatory requirements and the Enterprise's policies and procedures to comply with those requirements.&#160; Board and senior management training should reflect their oversight role.&#160; Training should be updated as needed to reflect regulatory changes and industry sound practices, as well as changes to the Enterprise's risk assessments and internal controls.&#160; </p><p> <span style="text-decoration&#58;underline;">Independent Testing</span></p><p>Each Enterprise should conduct regular independent testing in all business lines to determine the overall adequacy and effectiveness of the Enterprise's fraud risk management.&#160; Testing scope, procedures performed, and findings should be documented.</p><p> <span style="text-decoration&#58;underline;"> <strong> <em>Related FHFA Guidance</em></strong></span></p><p> <em>Enterprise Fraud Reporting</em>, Federal Housing Finance Agency Advisory Bulletin 2015-02, March 26, 2015, communicates to the Enterprises FHFA's fraud reporting requirements pursuant to 12 CFR Part 1233.</p><p> <em>Oversight of Single-Family Seller/Servicer Relationships</em>, Federal Housing Finance Agency Advisory Bulletin 2014-07, December 1, 2014, communicates to the Enterprises FHFA's supervisory expectations for managing counterparty risk associated with their relationships with single-family Seller/Servicers.</p><p> <em>Suspended Counterparty Program at 12 CFR Part 1227, </em>generally sets forth the requirements by which each regulated entity submits reports to FHFA when it becomes aware that an individual or institution with which it has been engaged in a covered transaction (as such term is defined in the regulation) within the previous three years has been convicted, debarred, suspended, or otherwise sanctioned, based on specified financial misconduct. &#160;FHFA may issue suspension orders in appropriate cases, requiring the regulated entities to cease doing business with such individuals or institutions.</p><p>________________________________ </p><p> <a id="1" href="#ref1">[1]</a> For purposes of this Advisory Bulletin, fraud occurs when a person(s), knowingly and willfully (1) falsifies, conceals, or covers up a material fact by any trick, scheme, or device; (2) makes any materially false, fictitious, or fraudulent statement or representation; or (3) makes or uses any false writing or document knowing the same to contain any materially false, fictitious, or fraudulent statement or entry. </p><p> <a id="2" href="#ref2">[2]</a> The risk management guidance in this Advisory Bulletin complements the requirements for reporting fraud and possible fraud found in&#58; (i) 12 C.F.R. Part 1233, Reporting of Fraudulent Financial Instruments; (ii) 31 C.F.R. Parts 1010 and 1030, Anti-Money Laundering Program and Suspicious Activity Report Filing Requirements for Housing Government Sponsored Enterprises; and (iii) Advisory Bulletin 2015-02, Enterprise Fraud Reporting (March 26, 2015).</p><div><table width="100%" class="ms-rteTable-default" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width&#58;100%;"><p> Advisory Bulletins communicate guidance to FHFA supervision staff and the regulated entities on specific supervisory matters pertaining to the Federal Home Loan Banks, Fannie Mae, and Freddie Mac. &#160;This advisory bulletin is effective immediately upon issuance. &#160;Contact&#160;Bobbi Montoya, Associate Director, Examination Standards Branch at&#160;<a href="mailto&#58;Bobbi.Montoya@fhfa.gov">Bobbi.Montoya@fhfa.gov</a>&#160;or&#160;(202)&#160;649-3406, Kathy Beach, Principal Advisor, Office os Supervision Policy at <a href="mailto&#58;Kathy.Beach@fhfa.gov">Kathy.Beach@fhfa.gov</a> or (202) 649-3521, or Ellen Joyce, Principal Risk Analyst, Risk Analysis Branch at <a href="mailto&#58;Ellen.Joyce@fhfa.gov">Ellen.Joyce@fhfa.gov</a> or (202) 649-3409 with comments or questions pertaining to this bulletin. &#160;&#160;</p></td></tr></tbody></table></div>9/29/2015 1:00:27 PMHome / Supervision & Regulation / Advisory Bulletins / Fraud Risk Management Advisory Bulletin This Advisory Bulletin communicates to Fannie Mae and Freddie Mac (the 216https://www.fhfa.gov/SupervisionRegulation/AdvisoryBulletins/Pages/Forms/AllItems.aspxhtmlFalseaspx

© 2018 Federal Housing Finance Agency